The ThreatFox: FAKEUPDATES IOCs detection rule identifies potential adversary activity linked to malicious update packages, which could be used to deliver malware or compromise systems. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate early-stage attacks that exploit trusted update mechanisms.
IOC Summary
Malware Family: FAKEUPDATES Total IOCs: 2 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | speed-optimizer.com | payload_delivery | 2026-06-16 | 100% |
| url | hxxps://speed-optimizer.com/scripts/core.min.js | payload_delivery | 2026-06-16 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - FAKEUPDATES
let malicious_domains = dynamic(["speed-optimizer.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - FAKEUPDATES
let malicious_urls = dynamic(["https://speed-optimizer.com/scripts/core.min.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update Job
Description: A scheduled job runs to apply legitimate system updates using tools like Windows Update or WSUS.
Filter/Exclusion: Exclude processes associated with known update tools (e.g., wusa.exe, wuauclt.exe) or filter by process names matching WindowsUpdate or WSUS.
Scenario: Admin Performing Patch Management
Description: An administrator manually runs a patching tool like Microsoft Endpoint Manager or SCCM to deploy updates across the network.
Filter/Exclusion: Exclude processes initiated by admin accounts with known patching tools or filter by user context (e.g., domain\admin).
Scenario: Scheduled Antivirus Scan
Description: A scheduled antivirus scan uses tools like Windows Defender or third-party antivirus software to scan for malware.
Filter/Exclusion: Exclude processes associated with antivirus tools (e.g., MsMpEng.exe, avgnt.exe) or filter by process names containing “antivirus” or “defender”.
Scenario: Log Collection and Analysis Tool
Description: A log management tool like Splunk, ELK Stack, or Graylog is configured to collect and analyze system logs.
Filter/Exclusion: Exclude processes related to log collection tools (e.g., splunkd.exe, logstash, graylog-server) or filter by process names containing “log” or “collector”.
Scenario: Software Deployment via Group Policy
Description: A Group Policy Object (GPO) is used to deploy software updates or patches across the enterprise.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or filter by process names containing “GroupPolicy” or “gpupdate”.