← Back to SOC feed Coverage →

ThreatFox: KongTuke IOCs

ioc-hunt HIGH ThreatFox
DnsEventsUrlClickEvents
iocjs-kongtukethreatfox
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at ThreatFox →
Retrieved: 2026-05-12T11:00:00Z · Confidence: high

Hunt Hypothesis

The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.

IOC Summary

Malware Family: KongTuke Total IOCs: 20 IOC Types: url, domain

TypeValueThreat TypeFirst SeenConfidence
urlhxxps://riihard.top/cpayload_delivery2026-05-11100%
urlhxxps://riihard.top/gpayload_delivery2026-05-11100%
urlhxxps://riihard.top/tpayload_delivery2026-05-11100%
urlhxxps://riihard.top/file.jspayload_delivery2026-05-11100%
domainriihard.toppayload_delivery2026-05-11100%
urlhxxps://gautter.lol/cpayload_delivery2026-05-11100%
urlhxxps://gautter.lol/gpayload_delivery2026-05-11100%
urlhxxps://gautter.lol/tpayload_delivery2026-05-11100%
urlhxxps://gautter.lol/file.jspayload_delivery2026-05-11100%
domaingautter.lolpayload_delivery2026-05-11100%
urlhxxps://chauvet.club/cpayload_delivery2026-05-11100%
urlhxxps://chauvet.club/gpayload_delivery2026-05-11100%
urlhxxps://chauvet.club/tpayload_delivery2026-05-11100%
urlhxxps://chauvet.club/file.jspayload_delivery2026-05-11100%
domainchauvet.clubpayload_delivery2026-05-11100%
urlhxxps://olovier.lol/cpayload_delivery2026-05-11100%
urlhxxps://olovier.lol/gpayload_delivery2026-05-11100%
urlhxxps://olovier.lol/tpayload_delivery2026-05-11100%
urlhxxps://olovier.lol/file.jspayload_delivery2026-05-11100%
domainolovier.lolpayload_delivery2026-05-11100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["riihard.top", "gautter.lol", "chauvet.club", "olovier.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://riihard.top/c", "https://riihard.top/g", "https://riihard.top/t", "https://riihard.top/file.js", "https://gautter.lol/c", "https://gautter.lol/g", "https://gautter.lol/t", "https://gautter.lol/file.js", "https://chauvet.club/c", "https://chauvet.club/g", "https://chauvet.club/t", "https://chauvet.club/file.js", "https://olovier.lol/c", "https://olovier.lol/g", "https://olovier.lol/t", "https://olovier.lol/file.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
DnsEventsEnsure this data connector is enabled
UrlClickEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://threatfox.abuse.ch/browse/malware/js.kongtuke/