The ThreatFox: FAKEUPDATES IOCs detection rule identifies potential adversary activity linked to a known malicious campaign distributing fake software updates, which could be used to deploy malware or steal credentials. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate early-stage compromise attempts by threat actors leveraging social engineering and supply chain attacks.
IOC Summary
Malware Family: FAKEUPDATES Total IOCs: 3 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | delivery.fitswowllc.com | payload_delivery | 2026-06-01 | 75% |
| ip:port | 172[.]94[.]9[.]102:443 | payload_delivery | 2026-06-01 | 100% |
| domain | api.ioteromixes.com | payload_delivery | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - FAKEUPDATES
let malicious_ips = dynamic(["172.94.9.102"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.94.9.102"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - FAKEUPDATES
let malicious_domains = dynamic(["delivery.fitswowllc.com", "api.ioteromixes.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Windows Update Scheduled Task
Description: A scheduled task is configured to run Windows Update at regular intervals, which may trigger the rule due to similar file names or network activity.
Filter/Exclusion: Exclude tasks related to wuauclt.exe or Windows Update using the process.name field. Example filter: process.name != "wuauclt.exe"
Scenario: Admin Performing System Patching via PowerShell
Description: An administrator is using PowerShell to manually apply patches or updates, which may involve scripts or tools that match the IOC patterns.
Filter/Exclusion: Exclude PowerShell scripts that contain known admin commands like Start-Process or Invoke-Command with msiexec.exe or wusa.exe. Example filter: process.name != "powershell.exe" OR process.args NOT LIKE "*msiexec*"
Scenario: Legitimate Software Deployment via SCCM
Description: A System Center Configuration Manager (SCCM) deployment is distributing a legitimate software update, which may include files or network connections matching the IOC.
Filter/Exclusion: Exclude processes associated with SCCM using the process.name field. Example filter: process.name != "ccmexec.exe" OR process.name != "smsutil.exe"
Scenario: Backup Job Using Acronis or Veeam
Description: A backup job is running using Acronis or Veeam, which may involve network activity or file operations that resemble malicious behavior.
Filter/Exclusion: Exclude processes related to backup tools using the process.name field. Example filter: process.name != "acronis.exe" OR process.name != "veeam.exe"
Scenario: Internal Development Tool with Similar Naming
Description: A development tool or internal script uses a name similar