The ThreatFox: FAKEUPDATES IOCs detection rule identifies potential adversary activity linked to malicious update packages that may be used to deliver malware or execute arbitrary code. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate early-stage compromise attempts by threat actors leveraging deceptive update mechanisms.
IOC Summary
Malware Family: FAKEUPDATES Total IOCs: 2 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 138[.]124[.]79[.]146:443 | payload_delivery | 2026-05-25 | 100% |
| domain | cpanel.houston-familyoffice.com | botnet_cc | 2026-05-25 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - FAKEUPDATES
let malicious_ips = dynamic(["138.124.79.146"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["138.124.79.146"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - FAKEUPDATES
let malicious_domains = dynamic(["cpanel.houston-familyoffice.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled task runs a system update script that downloads a file matching the FAKEUPDATES IOC.
Filter/Exclusion: Exclude files downloaded from known update servers (e.g., file.download.server == "updates.microsoft.com" or file.download.server == "download.docker.com").
Scenario: Admin Performing Software Patching
Description: An admin manually downloads a patch from a trusted source, which coincidentally matches the FAKEUPDATES IOC.
Filter/Exclusion: Exclude files with known admin tools or patching utilities (e.g., file.name contains "patch" or "update" and process.name == "msiexec.exe").
Scenario: Log Collection Tool Using Known Hosts
Description: A log aggregation tool (e.g., Splunk, ELK) connects to a known host that matches a FAKEUPDATES IOC.
Filter/Exclusion: Exclude connections to internal log servers or known monitoring hosts (e.g., destination.host == "splunkserver.example.com" or destination.host == "logserver.prod").
Scenario: Backup Job Using External Storage
Description: A backup process transfers data to an external storage device, which is flagged due to a matching IOC.
Filter/Exclusion: Exclude file transfers involving backup tools (e.g., process.name == "vssadmin.exe" or file.name contains "backup") or external storage devices (e.g., destination.device == "backup-drive-01").
Scenario: DevOps Pipeline Artifact Download
Description: A CI/CD pipeline downloads a build artifact from a public repository that matches the FAKEUPDATES IOC.
Filter/Exclusion: Exclude downloads from known CI/CD platforms (e.g., `file.download.server