The ThreatFox: OtterCookie IOCs rule detects potential adversary activity associated with the OtterCookie malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise organizational data integrity and confidentiality.
IOC Summary
Malware Family: OtterCookie Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | cloudflareinsights.vercel.app | botnet_cc | 2026-04-23 | 49% |
| domain | cloudflarefirewall.vercel.app | botnet_cc | 2026-04-23 | 49% |
| domain | cloudflaresecurity.vercel.app | botnet_cc | 2026-04-23 | 49% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - OtterCookie
let malicious_domains = dynamic(["cloudflareinsights.vercel.app", "cloudflarefirewall.vercel.app", "cloudflaresecurity.vercel.app"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the IOCs (e.g., ottercookie.exe or specific registry keys) as part of a maintenance task.
Filter/Exclusion: process.parent_process == "Task Scheduler" or process.name == "schtasks.exe"
Scenario: Admin Tool for Configuration Management
Description: An administrator uses a tool like PowerShell or Windows Task Scheduler to deploy a configuration script that temporarily uses a file or registry key associated with the IOC.
Filter/Exclusion: process.name == "powershell.exe" and process.args contains "Configure-System" or process.parent_process == "Windows Task Scheduler"
Scenario: Legitimate Software Installation
Description: A legitimate software package (e.g., Microsoft Endpoint Protection) includes a file or registry entry that matches the IOC due to a naming collision.
Filter/Exclusion: file.name contains "Microsoft Endpoint Protection" or file.path contains "C:\Program Files\Microsoft"
Scenario: Automated Log Collection Tool
Description: A log collection tool like Splunk or ELK Stack runs a script that temporarily creates a file or uses a registry key that matches the IOC.
Filter/Exclusion: process.name == "splunkd.exe" or process.name == "logstash.exe" and process.args contains "collect"
Scenario: User-Initiated File Cleanup Task
Description: A user runs a file cleanup tool (e.g., CCleaner) that deletes or modifies files that match the IOC due to a naming similarity.
Filter/Exclusion: process.name == "ccleaner.exe" or process.name == "cleanmgr.exe" and `process.args contains