The ThreatFox: magecart IOCs rule detects potential Magecart-related activity by identifying known malicious indicators associated with compromised payment gateways. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate supply chain attacks that could compromise customer data and financial transactions.
IOC Summary
Malware Family: magecart Total IOCs: 24 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | code-jquery.net | payload_delivery | 2026-06-03 | 100% |
| domain | code-jquery.com | payload_delivery | 2026-06-03 | 100% |
| domain | bootstrapccdn.com | payload_delivery | 2026-06-03 | 100% |
| domain | bootstrapscdn.com | payload_delivery | 2026-06-03 | 100% |
| domain | cdnjs.cloudflire.com | payload_delivery | 2026-06-03 | 100% |
| domain | cdnjs.cloudflire.net | payload_delivery | 2026-06-03 | 100% |
| domain | cdnjs.bootstrapscdn.com | payload_delivery | 2026-06-03 | 100% |
| domain | ajax.googleaips.net | payload_delivery | 2026-06-03 | 100% |
| domain | cdn.googleaips.net | payload_delivery | 2026-06-03 | 100% |
| domain | stat.keitaro.company | payload_delivery | 2026-06-03 | 100% |
| domain | mc.yadnex.net | payload_delivery | 2026-06-03 | 100% |
| ip:port | 138[.]68[.]80[.]126:443 | payload_delivery | 2026-06-03 | 100% |
| ip:port | 164[.]92[.]242[.]121:443 | payload_delivery | 2026-06-03 | 100% |
| ip:port | 209[.]38[.]212[.]9:443 | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://code-jquery.net/ws | botnet_cc | 2026-06-03 | 100% |
| url | hxxps://code-jquery.com/ws | botnet_cc | 2026-06-03 | 100% |
| url | hxxps://bootstrapccdn.com/ws | botnet_cc | 2026-06-03 | 100% |
| url | hxxps://bootstrapscdn.com/ws | botnet_cc | 2026-06-03 | 100% |
| url | hxxps://cdnjs.cloudflire.net/ws | botnet_cc | 2026-06-03 | 100% |
| url | hxxps://cdnjs.cloudflire.com/ws | botnet_cc | 2026-06-03 | 100% |
| url | hxxps://cdnjs.bootstrapscdn.com/ws | botnet_cc | 2026-06-03 | 100% |
| url | hxxps://ajax.googleaips.net/ws | botnet_cc | 2026-06-03 | 100% |
| url | hxxps://stat.keitaro.company/ws | botnet_cc | 2026-06-03 | 100% |
| url | hxxps://mc.yadnex.net/ws | botnet_cc | 2026-06-03 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - magecart
let malicious_ips = dynamic(["138.68.80.126", "209.38.212.9", "164.92.242.121"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["138.68.80.126", "209.38.212.9", "164.92.242.121"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - magecart
let malicious_domains = dynamic(["code-jquery.net", "code-jquery.com", "bootstrapccdn.com", "bootstrapscdn.com", "cdnjs.cloudflire.com", "cdnjs.cloudflire.net", "cdnjs.bootstrapscdn.com", "ajax.googleaips.net", "cdn.googleaips.net", "stat.keitaro.company", "mc.yadnex.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - magecart
let malicious_urls = dynamic(["https://code-jquery.net/ws", "https://code-jquery.com/ws", "https://bootstrapccdn.com/ws", "https://bootstrapscdn.com/ws", "https://cdnjs.cloudflire.net/ws", "https://cdnjs.cloudflire.com/ws", "https://cdnjs.bootstrapscdn.com/ws", "https://ajax.googleaips.net/ws", "https://stat.keitaro.company/ws", "https://mc.yadnex.net/ws"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled job runs rsync to back up system files to a remote server.
Filter/Exclusion: Exclude processes where the command line includes rsync and the destination is a known backup server or directory.
Scenario: Admin Task Using curl to Fetch Configuration from Internal API
Description: An admin uses curl to fetch configuration updates from an internal API endpoint.
Filter/Exclusion: Exclude processes where the command line includes curl and the URL matches an internal API endpoint (e.g., https://api.internal.configsvc.com/).
Scenario: Log Collection Using fluentd or logstash
Description: A log aggregation tool like fluentd or logstash sends logs to a central logging server.
Filter/Exclusion: Exclude processes where the command line includes fluentd or logstash and the destination is a known log server or SaaS provider.
Scenario: CI/CD Pipeline Using git to Pull Code from Internal Repo
Description: A CI/CD pipeline runs git pull to fetch code from an internal Git repository.
Filter/Exclusion: Exclude processes where the command line includes git pull and the repository URL is an internal Git server (e.g., https://git.internal.company.com/).
Scenario: Database Backup Using mysqldump or pg_dump
Description: A database administrator uses mysqldump or pg_dump to create a backup of a database.
Filter/Exclusion: Exclude processes where the command line includes mysqldump or pg_dump and the output directory is a known backup location.