The ThreatFox: Mirai IOCs rule detects potential compromise by adversaries leveraging known indicators associated with the Mirai botnet, which is commonly used to launch large-scale DDoS attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai-related activity before it leads to widespread network disruption.
IOC Summary
Malware Family: Mirai Total IOCs: 29 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | giga.miraibotnet.su | botnet_cc | 2026-06-05 | 100% |
| domain | rep.miraibotnet.su | botnet_cc | 2026-06-05 | 100% |
| domain | srv.miraibotnet.su | botnet_cc | 2026-06-05 | 100% |
| domain | bins.oceanic-node.su | botnet_cc | 2026-06-05 | 100% |
| domain | meow.oceanic-node.su | botnet_cc | 2026-06-05 | 100% |
| domain | mewo.oceanic-node.su | botnet_cc | 2026-06-05 | 100% |
| domain | retard.oceanic-node.su | botnet_cc | 2026-06-05 | 100% |
| domain | srv.oceanic-node.su | botnet_cc | 2026-06-05 | 100% |
| domain | smart.abuse.st | botnet_cc | 2026-06-05 | 100% |
| domain | tvt.abuse.st | botnet_cc | 2026-06-05 | 100% |
| domain | boom.abuse.st | botnet_cc | 2026-06-05 | 100% |
| domain | abusing.abuse.st | botnet_cc | 2026-06-05 | 100% |
| domain | fsocietyhackattack.botlesscucks.st | botnet_cc | 2026-06-05 | 100% |
| domain | hackattackkaboom.botlesscucks.st | botnet_cc | 2026-06-05 | 100% |
| domain | zyrec2.duckdns.org | botnet_cc | 2026-06-05 | 100% |
| domain | download.logltech.workers.dev | botnet_cc | 2026-06-05 | 100% |
| domain | jaamdesign.com | botnet_cc | 2026-06-05 | 100% |
| domain | stoplooking1.botlesscucks.st | botnet_cc | 2026-06-05 | 100% |
| domain | stoplooking2.botlesscucks.st | botnet_cc | 2026-06-05 | 100% |
| domain | dxhook.lol | botnet_cc | 2026-06-05 | 100% |
| domain | fer1.duckdns.org | botnet_cc | 2026-06-05 | 100% |
| ip:port | 91[.]92[.]42[.]203:5544 | payload_delivery | 2026-06-05 | 100% |
| domain | youareall.botlesscucks.st | botnet_cc | 2026-06-05 | 100% |
| domain | musika.botlesscucks.st | botnet_cc | 2026-06-05 | 100% |
| domain | happytugsmassage.com | botnet_cc | 2026-06-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["91.92.42.203", "110.35.80.116", "8.229.68.116"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.92.42.203", "110.35.80.116", "8.229.68.116"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["giga.miraibotnet.su", "rep.miraibotnet.su", "srv.miraibotnet.su", "bins.oceanic-node.su", "meow.oceanic-node.su", "mewo.oceanic-node.su", "retard.oceanic-node.su", "srv.oceanic-node.su", "smart.abuse.st", "tvt.abuse.st", "boom.abuse.st", "abusing.abuse.st", "fsocietyhackattack.botlesscucks.st", "hackattackkaboom.botlesscucks.st", "zyrec2.duckdns.org", "download.logltech.workers.dev", "jaamdesign.com", "stoplooking1.botlesscucks.st", "stoplooking2.botlesscucks.st", "dxhook.lol", "fer1.duckdns.org", "youareall.botlesscucks.st", "musika.botlesscucks.st", "happytugsmassage.com", "n058152033245.netvigator.com", "stoplooking.botlesscucks.st"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using tar and rsync
Description: A legitimate system backup process uses tar and rsync to archive and transfer data, which may include commands similar to those seen in Mirai C2 communication.
Filter/Exclusion: Exclude processes where the command line includes tar, rsync, or paths to backup directories (e.g., /backup/, /var/backups/).
Scenario: Admin Task Using nc for Network Testing
Description: A system administrator uses nc (netcat) to test network connectivity or port availability, which could trigger the rule if the command includes IP addresses or ports associated with Mirai IOCs.
Filter/Exclusion: Exclude processes where the command line includes nc and the user is a privileged admin (e.g., root, sudo), or where the command includes test, ping, or telnet.
Scenario: Cron Job for Log Rotation Using logrotate
Description: A cron job runs logrotate to manage log files, which may involve temporary files or commands that resemble Mirai IOCs.
Filter/Exclusion: Exclude processes where the command line includes logrotate, /etc/logrotate.conf, or paths to log directories (e.g., /var/log/, /tmp/).
Scenario: Docker Container Management Using docker CLI
Description: A DevOps engineer uses the docker CLI to manage containers, which may involve commands that resemble Mirai IOCs, especially when interacting with container networks.
Filter/Exclusion: Exclude processes where the command line includes docker, run, exec, or paths to Docker configuration files (e.g., /etc/docker/, /var/lib/docker/).
**Scenario: