The ThreatFox: FAKEUPDATES IOCs detection rule identifies potential malicious activity linked to a known threat actor distributing fake software updates, which could be used to deploy malware or compromise systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adversarial campaigns that exploit user trust in software update mechanisms.
IOC Summary
Malware Family: FAKEUPDATES Total IOCs: 2 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | dl.overscaleconsulting.com | botnet_cc | 2026-05-28 | 100% |
| ip:port | 185[.]193[.]48[.]39:443 | payload_delivery | 2026-05-28 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - FAKEUPDATES
let malicious_ips = dynamic(["185.193.48.39"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.193.48.39"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - FAKEUPDATES
let malicious_domains = dynamic(["dl.overscaleconsulting.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Windows Update Scheduled Task
Description: A scheduled task runs wuauclt.exe (Windows Update client) as part of a routine system maintenance process.
Filter/Exclusion: Exclude processes where ImageFileName is wuauclt.exe and CommandLine contains /detectnow or /updatenow.
Scenario: System File Integrity Check (SFIC) Job
Description: A security tool like Sysinternals Process Explorer or Microsoft Baseline Security Analyzer (MSBAS) is used to check system files for integrity.
Filter/Exclusion: Exclude processes where ImageFileName is msbas.exe or procexp.exe and the command line includes /sc or /sfc.
Scenario: Admin Performing Software Deployment via Group Policy
Description: An administrator uses gpupdate.exe to refresh Group Policy settings, which may trigger package-related IOCs.
Filter/Exclusion: Exclude processes where ImageFileName is gpupdate.exe and the command line includes /force or /target:computer.
Scenario: Antivirus or EDR Software Performing Full System Scan
Description: A legitimate endpoint protection tool like Microsoft Defender or CrowdStrike Falcon may execute package-related binaries during a scan.
Filter/Exclusion: Exclude processes where ImageFileName is MsMpEng.exe or falcon.exe and the command line includes fullscan or scan.
Scenario: System Maintenance Task Running PowerShell Script
Description: A scheduled PowerShell script (e.g., powershell.exe) is used to perform system updates or configuration changes.
Filter/Exclusion: Exclude processes where ImageFileName is powershell.exe and the command line includes `Start-