The ThreatFox: IClickFix IOCs rule detects potential adversary activity associated with the IClickFix threat group, which is known for deploying malicious payloads and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to compromise endpoints and networks.
IOC Summary
Malware Family: IClickFix Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | codex.gr.com | botnet_cc | 2026-05-31 | 100% |
| domain | protonvpn.co.com | botnet_cc | 2026-05-31 | 100% |
| domain | notebooklm.gr.com | botnet_cc | 2026-05-31 | 100% |
| domain | deepseek.gr.com | botnet_cc | 2026-05-31 | 100% |
| domain | qwen.co.com | botnet_cc | 2026-05-31 | 100% |
| domain | zai.gr.com | botnet_cc | 2026-05-31 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - IClickFix
let malicious_domains = dynamic(["codex.gr.com", "protonvpn.co.com", "notebooklm.gr.com", "deepseek.gr.com", "qwen.co.com", "zai.gr.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task runs a script that uses a tool like PowerShell or Task Scheduler to clean up temporary files or update system configurations.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler service or those with a command line containing clean, cleanup, or update.
Scenario: Admin using ThreatFox for IOC validation
Description: A security analyst manually checks known IOCs against the ThreatFox database using the ThreatFox API or web interface as part of routine threat intelligence validation.
Filter/Exclusion: Exclude processes with a command line containing ThreatFox, api, or validate.
Scenario: Legitimate software update process
Description: A system administrator uses a tool like Chocolatey or WSUS to deploy updates, which may involve downloading files that match the IOC pattern.
Filter/Exclusion: Exclude processes initiated by Chocolatey, WSUS, or Update related command lines.
Scenario: Log file parsing or forensic analysis
Description: A security tool like LogParser or ELK Stack is used to analyze log files, which may include entries that resemble IOC patterns.
Filter/Exclusion: Exclude processes with a command line containing log, parse, analyze, or ELK.
Scenario: System backup or restore operation
Description: A backup tool like Veeam, Acronis, or rsync is used to back up or restore system files, which may involve file paths or commands that match the IOC pattern.
Filter/Exclusion: Exclude processes initiated by backup tools or those with command lines containing backup, restore, or rsync.