The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malicious network traffic and command-and-control communication. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise from advanced persistent threats leveraging known malicious infrastructure.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 9 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://crystalrocketlab.top/tenant/session-render | payload_delivery | 2026-05-26 | 100% |
| domain | crystalrocketlab.top | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://crystalrocketlab.top/tenant/acl-layout.js | payload_delivery | 2026-05-26 | 100% |
| url | hxxp://5[.]161[.]242[.]221 | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://velvetcompassstudio.com/zip | payload_delivery | 2026-05-26 | 100% |
| domain | velvetcompassstudio.com | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://silentquarry.top/tenant/session-render | payload_delivery | 2026-05-26 | 100% |
| domain | silentquarry.top | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://silentquarry.top/tenant/acl-layout.js | payload_delivery | 2026-05-26 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["crystalrocketlab.top", "velvetcompassstudio.com", "silentquarry.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://crystalrocketlab.top/tenant/session-render", "https://crystalrocketlab.top/tenant/acl-layout.js", "http://5.161.242.221", "https://velvetcompassstudio.com/zip", "https://silentquarry.top/tenant/session-render", "https://silentquarry.top/tenant/acl-layout.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using smartape command
Description: A system administrator schedules a legitimate job using the smartape command for system diagnostics or maintenance.
Filter/Exclusion: Exclude processes where the command line includes smartape and the process is associated with a known admin task (e.g., /usr/sbin/smartape -d).
Scenario: Regular use of smartape for storage monitoring
Description: The IT team uses smartape as part of their storage monitoring tools to check disk health or performance.
Filter/Exclusion: Exclude processes where the command line includes smartape and the process is initiated from a known monitoring tool (e.g., /opt/storage_tools/smartape_check.sh).
Scenario: System update or patching using smartape
Description: A system update or patching process uses smartape to verify system integrity or apply patches.
Filter/Exclusion: Exclude processes where the command line includes smartape and the process is initiated from a known update tool (e.g., /usr/local/bin/update_smartape.sh).
Scenario: Log analysis using smartape parser
Description: A log analysis tool uses smartape to parse and analyze system logs for performance or error tracking.
Filter/Exclusion: Exclude processes where the command line includes smartape and the process is initiated from a known log analysis tool (e.g., /opt/log_analyzer/smartape_parser.py).
Scenario: Third-party tool integration with smartape
Description: A third-party system management tool integrates with smartape to collect system metrics or perform health checks.
Filter/Exclusion: Exclude processes where the command line includes smartape and the process is