The ThreatFox: Dofloo IOCs rule detects potential adversary activity linked to the Dofloo threat group, which is associated with malicious infrastructure and command-and-control servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats.
IOC Summary
Malware Family: Dofloo Total IOCs: 5 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 87[.]121[.]79[.]193:80 | payload_delivery | 2026-05-23 | 80% |
| ip:port | 87[.]121[.]79[.]73:80 | payload_delivery | 2026-05-23 | 80% |
| url | hxxp://151[.]242[.]125[.]187/dck | payload_delivery | 2026-05-23 | 85% |
| url | hxxp://87[.]121[.]79[.]193/dck | payload_delivery | 2026-05-23 | 80% |
| url | hxxp://87[.]121[.]79[.]73/dck | payload_delivery | 2026-05-23 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Dofloo
let malicious_ips = dynamic(["87.121.79.73", "87.121.79.193"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["87.121.79.73", "87.121.79.193"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Dofloo
let malicious_urls = dynamic(["http://151.242.125.187/dck", "http://87.121.79.193/dck", "http://87.121.79.73/dck"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running Dofloo for system monitoring
Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., schtasks.exe or at.exe) with known legitimate command-line arguments related to Dofloo monitoring.
Scenario: Admin using Dofloo for log analysis and forensic investigation
Filter/Exclusion: Exclude processes launched by user accounts with administrative privileges and associated with known forensic tools (e.g., logparser.exe, eventvwr.exe).
Scenario: Dofloo used in a DevOps pipeline for infrastructure automation
Filter/Exclusion: Exclude processes initiated by CI/CD tools (e.g., jenkins.exe, azure-pipelines.exe) that invoke Dofloo as part of a deployment or configuration task.
Scenario: Dofloo used for internal threat hunting and IOC validation
Filter/Exclusion: Exclude processes launched from a dedicated threat hunting tool (e.g., Splunk, ELK Stack) or from a sandboxed environment with known hunting workflows.
Scenario: Dofloo used for endpoint detection and response (EDR) tool integration
Filter/Exclusion: Exclude processes initiated by EDR platforms (e.g., Microsoft Defender ATP, CrowdStrike Falcon) that use Dofloo for IOC correlation or threat intelligence lookup.