The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command and control communications. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 5 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://openmeadowlab.top/health/session-deploy.js | payload_delivery | 2026-06-06 | 100% |
| domain | openmeadowlab.top | payload_delivery | 2026-06-06 | 100% |
| url | hxxps://openmeadowlab.top/health/public-layout | payload_delivery | 2026-06-06 | 100% |
| url | hxxps://openmeadowlab.top/health/signup-module.js | payload_delivery | 2026-06-06 | 100% |
| url | hxxps://copperbeacon.top/health/session-deploy.js | payload_delivery | 2026-06-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["openmeadowlab.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://openmeadowlab.top/health/session-deploy.js", "https://openmeadowlab.top/health/public-layout", "https://openmeadowlab.top/health/signup-module.js", "https://copperbeacon.top/health/session-deploy.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running SmartApeSG tool for system diagnostics
Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe or at.exe) or filter by process name SmartApeSG.exe with a known legitimate command-line argument.
Scenario: System administrator using SmartApeSG for network performance monitoring
Filter/Exclusion: Exclude processes initiated from administrative command-line tools (e.g., cmd.exe or powershell.exe) with a known admin task identifier or user context (e.g., NT AUTHORITY\SYSTEM).
Scenario: Regular maintenance task using SmartApeSG for log analysis
Filter/Exclusion: Exclude processes that match a known maintenance task name (e.g., SmartApeSG_Maintenance.exe) or filter by a specific time window (e.g., during off-peak hours).
Scenario: SmartApeSG used in a DevOps pipeline for CI/CD environment testing
Filter/Exclusion: Exclude processes that originate from CI/CD agents (e.g., Jenkins.exe, Git.exe, or Docker.exe) or filter by a specific project or pipeline identifier.
Scenario: SmartApeSG used in a security testing environment for vulnerability scanning
Filter/Exclusion: Exclude processes running in a sandboxed or isolated environment (e.g., sandbox.exe, vmtoolsd.exe, or qemu-system-x86_64.exe) or filter by a specific test environment tag.