Adversaries are using Evilginx IOCs to execute phishing campaigns and steal credentials by mimicking legitimate services. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate credential theft attempts early.
IOC Summary
Malware Family: Evilginx Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 192[.]208[.]12[.]91:3000 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 163[.]245[.]217[.]48:3333 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["192.208.12.91", "163.245.217.48"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["192.208.12.91", "163.245.217.48"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Using rsync
Description: A scheduled backup job using rsync transfers files to a remote server, which coincidentally matches an IOC associated with Evilginx.
Filter/Exclusion: Exclude traffic involving rsync commands executed by the backup user or during scheduled backup windows.
Scenario: Admin Task Using curl for Internal API Calls
Description: An administrator uses curl to interact with an internal API endpoint, which is mistakenly flagged as an Evilginx IOC.
Filter/Exclusion: Exclude traffic originating from admin accounts or matching internal API endpoints (e.g., https://api.internal.company.com/*).
Scenario: Log Collection Using logrotate with External Server
Description: The logrotate utility sends logs to a remote server for centralized logging, which may match an IOC used by Evilginx.
Filter/Exclusion: Exclude traffic from the logrotate process or to known internal log aggregation servers (e.g., logs.central.company.com).
Scenario: DevOps Pipeline Using Jenkins with External Artifact Repository
Description: A Jenkins job pulls dependencies from an external artifact repository, which is flagged due to matching an Evilginx IOC.
Filter/Exclusion: Exclude traffic from Jenkins jobs or to known CI/CD artifact repositories (e.g., maven.repository.company.com).
Scenario: Scheduled Job Using cron to Sync with Cloud Storage
Description: A cron job syncs files with a cloud storage service (e.g., AWS S3), which may have an IOC that overlaps with Evilginx.
Filter/Exclusion: Exclude traffic initiated by cron jobs or to cloud storage endpoints (e.g., s3.amazonaws.com/*).