The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before significant damage occurs.
IOC Summary
Malware Family: KongTuke Total IOCs: 6 IOC Types: sha256_hash, url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | f581012ea6faaff213d79db7ea93194a423a419870d0db664b90a0db6ae4088b | payload | 2026-05-18 | 90% |
| sha256_hash | 3aaae158a84409dbc3202b174005ed9acf39ca7f3785dbff07c56be928ff011f | payload | 2026-05-18 | 90% |
| sha256_hash | 833a0e0ed8bc34a1af0fbb43c56f7bea2c73dde2295f4df2e2c27011d70f52fa | payload | 2026-05-18 | 90% |
| sha256_hash | 6d11817f510e596bb9b739dd1fddb3b1c929831b81503a4e8d7129543bf899b9 | payload | 2026-05-18 | 90% |
| url | hxxps://k020e5b3g0h.com/d | payload_delivery | 2026-05-18 | 100% |
| domain | k020e5b3g0h.com | payload_delivery | 2026-05-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["k020e5b3g0h.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://k020e5b3g0h.com/d"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - KongTuke
let malicious_hashes = dynamic(["f581012ea6faaff213d79db7ea93194a423a419870d0db664b90a0db6ae4088b", "3aaae158a84409dbc3202b174005ed9acf39ca7f3785dbff07c56be928ff011f", "833a0e0ed8bc34a1af0fbb43c56f7bea2c73dde2295f4df2e2c27011d70f52fa", "6d11817f510e596bb9b739dd1fddb3b1c929831b81503a4e8d7129543bf899b9"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled job runs a backup script that includes a file named kongtuke.exe as part of a naming convention for temporary files.
Filter/Exclusion: Exclude processes where the file path contains backup or temp directories, or where the process is initiated by a scheduled task with a known backup name.
Scenario: Admin Task for Log Analysis
Description: An administrator uses a tool like LogParser or PowerShell to analyze logs and temporarily runs a script named kongtuke.ps1 for log parsing.
Filter/Exclusion: Exclude processes initiated by user accounts with administrative privileges and where the command line includes log analysis keywords like log, parse, or analyze.
Scenario: Development Environment Testing
Description: A developer is testing a tool like Wireshark or tcpdump and uses a script named kongtuke.sh as part of a test environment setup.
Filter/Exclusion: Exclude processes running in directories containing dev, test, or sandbox, or where the user is a developer with known test environments.
Scenario: Network Monitoring Tool Usage
Description: A network monitoring tool like Nmap or tcpdump is used to capture traffic, and a script named kongtuke.py is part of the capture process.
Filter/Exclusion: Exclude processes where the command line includes nmap, tcpdump, or capture, or where the user is part of the network operations team.
Scenario: Legacy System Maintenance
Description: A legacy system maintenance task runs a script named kongtuke.bat as part of a cleanup or update process.
Filter/Exclusion: Exclude processes where the file