The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: KongTuke Total IOCs: 8 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://ackerkann.lol/api/v1/session | payload_delivery | 2026-05-21 | 100% |
| url | hxxps://ackerkann.lol/api/v1/verify | payload_delivery | 2026-05-21 | 100% |
| domain | ackerkann.lol | payload_delivery | 2026-05-21 | 100% |
| url | hxxps://ackerkann.lol/file.js | payload_delivery | 2026-05-21 | 100% |
| url | hxxps://lolfler.lol/api/v1/session | payload_delivery | 2026-05-21 | 100% |
| url | hxxps://lolfler.lol/api/v1/verify | payload_delivery | 2026-05-21 | 100% |
| domain | lolfler.lol | payload_delivery | 2026-05-21 | 100% |
| url | hxxps://lolfler.lol/file.js | payload_delivery | 2026-05-21 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["ackerkann.lol", "lolfler.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://ackerkann.lol/api/v1/session", "https://ackerkann.lol/api/v1/verify", "https://ackerkann.lol/file.js", "https://lolfler.lol/api/v1/session", "https://lolfler.lol/api/v1/verify", "https://lolfler.lol/file.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job using rsync or tar is executing and inadvertently matches one of the KongTuke IOCs due to similar command-line syntax.
Filter/Exclusion: Exclude processes where the command line contains rsync, tar, or backup in the command line arguments.
Scenario: Admin Task - User Management via CLI
Description: An administrator is using the useradd or usermod command to manage user accounts, and the command line includes a string that matches one of the KongTuke IOCs.
Filter/Exclusion: Exclude processes where the command line contains useradd, usermod, or passwd in the command line arguments.
Scenario: Log Rotation Job Using logrotate
Description: A system log rotation job using logrotate is running, and the configuration file or command line includes a string that matches a KongTuke IOC.
Filter/Exclusion: Exclude processes where the command line contains logrotate or the process name is logrotate.
Scenario: Database Maintenance Task with mysqldump
Description: A database administrator is running a mysqldump command to export a database, and the command line includes a string that matches a KongTuke IOC.
Filter/Exclusion: Exclude processes where the command line contains mysqldump or the process name is mysqldump.
Scenario: Network Monitoring Tool Configuration Update
Description: A network monitoring tool like nmap or tcpdump is being configured, and the command line or configuration file includes a string that matches a KongTuke IOC.
Filter/Exclusion: Exclude processes where the command line contains nmap,