The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration or lateral movement.
IOC Summary
Malware Family: KongTuke Total IOCs: 2 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://dvxfigqyzgd.com/d | payload_delivery | 2026-05-06 | 100% |
| domain | dvxfigqyzgd.com | payload_delivery | 2026-05-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["dvxfigqyzgd.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://dvxfigqyzgd.com/d"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for Log Rotation
Description: A legitimate scheduled job runs to rotate and archive logs, which may trigger the detection due to file system activity.
Filter/Exclusion: Exclude processes related to log rotation tools like logrotate or rsyslog with command-line arguments containing rotate or archive.
Scenario: Admin Task for Configuration Backup
Description: An administrator performs a routine backup of configuration files, which may include files matching the IOC pattern.
Filter/Exclusion: Exclude processes initiated by the root user with command-line arguments containing backup, config, or snapshot.
Scenario: Deployment of Kong API Gateway
Description: A legitimate deployment of Kong API Gateway may involve copying or extracting files that match the IOC pattern.
Filter/Exclusion: Exclude processes related to kong or kongctl with command-line arguments containing install, deploy, or extract.
Scenario: System Integrity Check with Tripwire
Description: A system integrity monitoring tool like Tripwire may generate alerts when it detects changes to files, which could be flagged by the rule.
Filter/Exclusion: Exclude processes with the full path to Tripwire binaries or command-line arguments containing check, scan, or integrity.
Scenario: Automated Script for Database Maintenance
Description: A scheduled script runs to maintain a database, which may involve file operations that match the IOC pattern.
Filter/Exclusion: Exclude processes initiated by a known maintenance script (e.g., db_maintenance.sh) or those running under a specific user account used for DB tasks.