Adversaries using Kimwolf malware may establish encrypted C2 channels over specific IP:port pairs to exfiltrate data and execute remote commands, indicating potential long-term persistence and data theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Kimwolf Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 152[.]42[.]132[.]37:25001 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 209[.]38[.]33[.]37:25001 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 104[.]248[.]192[.]136:25001 | botnet_cc | 2026-06-02 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["152.42.132.37", "209.38.33.37", "104.248.192.136"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["152.42.132.37", "209.38.33.37", "104.248.192.136"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system maintenance job using known IP:port pair
Filter/Exclusion: Exclude traffic originating from system maintenance tasks like schtasks.exe or task scheduler using the IP:port pair associated with the rule. Example: process.parent_process == "schtasks.exe" or process.name == "schtasks.exe"
Scenario: Admin using PowerShell to remotely manage servers via IP:port
Filter/Exclusion: Exclude PowerShell remoting sessions (powershell.exe) that are part of regular administrative tasks. Example: process.name == "powershell.exe" && process.parent_process == "winrm.exe"
Scenario: Database backup job using a known IP:port for external backup service
Filter/Exclusion: Exclude outbound traffic from database backup tools like sqlbackup.exe or mysqldump that use a known IP:port for legitimate backup services. Example: process.name == "sqlbackup.exe" && destination.port == 443
Scenario: Software update process using a known IP:port for patch management
Filter/Exclusion: Exclude traffic from patch management tools like Windows Update or WSUS using a known IP:port. Example: process.name == "wuauserv.exe" || process.name == "wsusutil.exe"
Scenario: Legitimate outbound data transfer via encrypted tunnel for compliance purposes
Filter/Exclusion: Exclude traffic from secure tunneling tools like OpenVPN or WireGuard that are used for encrypted, compliant data transfer. Example: process.name == "openvpn.exe" || process.name == "wg.exe"