The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with high-impact ransomware operations. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate early-stage compromises before significant damage occurs.
IOC Summary
Malware Family: Kimwolf Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 188[.]166[.]73[.]211:25001 | botnet_cc | 2026-04-23 | 100% |
| ip:port | 64[.]225[.]73[.]83:25001 | botnet_cc | 2026-04-23 | 100% |
| ip:port | 188[.]166[.]108[.]189:25001 | botnet_cc | 2026-04-23 | 100% |
| ip:port | 159[.]223[.]218[.]168:25001 | botnet_cc | 2026-04-23 | 100% |
| ip:port | 159[.]65[.]200[.]174:25001 | botnet_cc | 2026-04-23 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["64.225.73.83", "159.223.218.168", "188.166.73.211", "159.65.200.174", "188.166.108.189"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.225.73.83", "159.223.218.168", "188.166.73.211", "159.65.200.174", "188.166.108.189"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOCs (e.g., psutil, subprocess) used by Kimwolf.
Filter/Exclusion: process.name == "schtasks.exe" OR process.name == "task scheduler"
Scenario: Admin Performing System Monitoring
Description: An admin is using a tool like Process Explorer or Wireshark to monitor system activity, which may trigger the IOCs.
Filter/Exclusion: process.name == "procexp.exe" OR process.name == "Wireshark.exe"
Scenario: Automated Log Collection Job
Description: A scheduled job using logrotate or rsyslog is collecting logs and may trigger IOCs related to file access or command execution.
Filter/Exclusion: process.name == "logrotate" OR process.name == "rsyslogd"
Scenario: Software Update or Patching Process
Description: A legitimate update process (e.g., using Chocolatey, WSUS, or Ansible) may execute commands or access files that match Kimwolf IOCs.
Filter/Exclusion: process.name == "choco.exe" OR process.name == "ansible.exe" OR process.name == "wsusutil.exe"
Scenario: Database Backup or Restore Operation
Description: A database backup tool like mysqldump or pg_dump may trigger IOCs due to file access or command-line execution.
Filter/Exclusion: process.name == "mysqldump.exe" OR process.name == "pg_dump.exe" OR process.name == "sqlcmd.exe"