Adversaries are leveraging Evilginx IOCs to perform credential phishing and exfiltrate sensitive data by impersonating legitimate services. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential credential theft and lateral movement attempts early.
IOC Summary
Malware Family: Evilginx Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 66[.]29[.]131[.]145:5000 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 64[.]225[.]102[.]218:31400 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 45[.]61[.]150[.]88:5000 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["45.61.150.88", "64.225.102.218", "66.29.131.145"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.61.150.88", "64.225.102.218", "66.29.131.145"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Rotation
Description: A scheduled job using logrotate is configured to rotate and compress web server logs, which may include files with names similar to known Evilginx IOCs.
Filter/Exclusion: Exclude files with the .log or .gz extensions, or filter by file paths containing /var/log/ or /etc/logrotate.d/.
Scenario: System Administration Task Using curl for API Testing
Description: An admin is using curl to test a legitimate API endpoint, which may result in traffic matching Evilginx IOC patterns (e.g., curl https://example.com/api).
Filter/Exclusion: Exclude traffic originating from admin user accounts or filter by known internal API endpoints.
Scenario: Web Server Configuration Backup Using rsync
Description: A backup process using rsync is copying web server configuration files, which may include paths or filenames that match Evilginx IOCs.
Filter/Exclusion: Exclude processes initiated by backup services or filter by paths containing /etc/nginx/ or /etc/apache2/.
Scenario: Internal Monitoring Tool Using tcpdump for Network Analysis
Description: A network monitoring tool like tcpdump is capturing traffic for analysis, which may include packets matching Evilginx IOC patterns.
Filter/Exclusion: Exclude traffic from the monitoring tool’s own IP address or filter by known internal monitoring ports (e.g., 6379 for Redis, 9100 for CDP).
Scenario: DevOps Pipeline Using git for Code Deployment
Description: A CI/CD pipeline using git is pushing code to a repository, which may include files or paths that resemble Evilginx IOCs.
Filter/Exclusion: