The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with malicious network traffic and command-and-control communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before they cause significant damage.
IOC Summary
Malware Family: KongTuke Total IOCs: 20 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://riihard.top/c | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://riihard.top/g | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://riihard.top/t | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://riihard.top/file.js | payload_delivery | 2026-05-11 | 100% |
| domain | riihard.top | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://gautter.lol/c | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://gautter.lol/g | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://gautter.lol/t | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://gautter.lol/file.js | payload_delivery | 2026-05-11 | 100% |
| domain | gautter.lol | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://chauvet.club/c | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://chauvet.club/g | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://chauvet.club/t | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://chauvet.club/file.js | payload_delivery | 2026-05-11 | 100% |
| domain | chauvet.club | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://olovier.lol/c | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://olovier.lol/g | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://olovier.lol/t | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://olovier.lol/file.js | payload_delivery | 2026-05-11 | 100% |
| domain | olovier.lol | payload_delivery | 2026-05-11 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["riihard.top", "gautter.lol", "chauvet.club", "olovier.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://riihard.top/c", "https://riihard.top/g", "https://riihard.top/t", "https://riihard.top/file.js", "https://gautter.lol/c", "https://gautter.lol/g", "https://gautter.lol/t", "https://gautter.lol/file.js", "https://chauvet.club/c", "https://chauvet.club/g", "https://chauvet.club/t", "https://chauvet.club/file.js", "https://olovier.lol/c", "https://olovier.lol/g", "https://olovier.lol/t", "https://olovier.lol/file.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled job runs nightly to clean temporary files or update system configurations.
Filter/Exclusion: Exclude processes associated with crontab, systemd, or task scheduler and filter by known maintenance scripts (e.g., /usr/bin/cleanup.sh).
Scenario: Admin task for updating KongTuke configuration
Description: An administrator manually updates the KongTuke configuration file using a text editor.
Filter/Exclusion: Exclude processes initiated from known admin tools like nano, vim, or emacs and filter by the specific configuration file path (e.g., /etc/kongtuke/config.yaml).
Scenario: Legitimate use of KongTuke for API management
Description: The KongTuke platform is used to manage and route API traffic within the enterprise.
Filter/Exclusion: Exclude traffic originating from internal IP ranges and filter by known API management endpoints (e.g., /api/v1/routes, /api/v1/services).
Scenario: Automated backup of KongTuke data
Description: A backup script runs to archive KongTuke database files to a secure location.
Filter/Exclusion: Exclude processes with backup or snapshot in the command line and filter by known backup directories (e.g., /backup/kongtuke/).
Scenario: Legitimate use of KongTuke for internal service discovery
Description: KongTuke is used internally to discover and route services within a microservices architecture.
Filter/Exclusion: Exclude traffic to internal service discovery endpoints (e.g., /api/v1/discovery, /api/v1/services) and filter by internal DNS or IP ranges.