The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by threat actors leveraging known malicious indicators.
IOC Summary
Malware Family: KongTuke Total IOCs: 5 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | fontanf.lol | payload_delivery | 2026-05-09 | 100% |
| url | hxxps://fontanf.lol/t | payload_delivery | 2026-05-09 | 100% |
| url | hxxps://fontanf.lol/g | payload_delivery | 2026-05-09 | 100% |
| url | hxxps://fontanf.lol/c | payload_delivery | 2026-05-09 | 100% |
| url | hxxps://fontanf.lol/file.js | payload_delivery | 2026-05-09 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["fontanf.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://fontanf.lol/t", "https://fontanf.lol/g", "https://fontanf.lol/c", "https://fontanf.lol/file.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a script that matches one of the KongTuke IOCs (e.g., a PowerShell script named backup.ps1).
Filter/Exclusion: Check for the presence of a known backup tool (e.g., Veeam, Commvault) or filter by file path such as C:\Program Files\BackupTool\ or C:\Windows\System32\backup\.
Scenario: Admin Task for Log Management
Description: An administrator uses a tool like LogParser or PowerShell to process logs, which may include a command or script that matches a KongTuke IOC.
Filter/Exclusion: Filter by process name (logparser.exe, powershell.exe) and check for known admin tasks such as C:\Windows\System32\LogParser.exe or use a user context filter for admin accounts.
Scenario: Legitimate API Testing with Postman
Description: A developer uses Postman to test an API endpoint that includes a request URL or header matching a KongTuke IOC.
Filter/Exclusion: Filter by process name (postman.exe) and check for the presence of a known development tool or environment (e.g., C:\Program Files\Postman\). Also, check for HTTP request patterns that match legitimate API testing.
Scenario: Regular System Monitoring with Splunk
Description: A monitoring task using Splunk includes a script or command that matches a KongTuke IOC, such as a custom script used for log analysis.
Filter/Exclusion: Filter by process name (splunk.exe) and check for known monitoring directories (e.g., C:\Program Files\Splunk\). Also, verify if the script is part of a known monitoring or SIEM setup.