The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 3 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://copperhorizon.top/principal/acl-payload | payload_delivery | 2026-06-09 | 100% |
| domain | copperhorizon.top | payload_delivery | 2026-06-09 | 100% |
| url | hxxps://copperhorizon.top/principal/signup-template.js | payload_delivery | 2026-06-09 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["copperhorizon.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://copperhorizon.top/principal/acl-payload", "https://copperhorizon.top/principal/signup-template.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using SmartApeSG tool
Description: A system administrator schedules a legitimate backup or maintenance task using the SmartApeSG tool, which may trigger the rule due to its association with the IOC.
Filter/Exclusion: process.name != "SmartApeSG" OR process.parent.name == "schtasks.exe"
Scenario: Admin using SmartApeSG for network monitoring
Description: A network administrator uses SmartApeSG as part of a legitimate network monitoring or diagnostic tool, which may be flagged by the rule.
Filter/Exclusion: process.name != "SmartApeSG" OR user.name == "NetworkAdmin"
Scenario: Scheduled system cleanup using SmartApeSG
Description: A system cleanup task is scheduled via Task Scheduler, and the SmartApeSG tool is used as part of the cleanup process, triggering the rule.
Filter/Exclusion: process.parent.name == "schtasks.exe" OR process.name != "SmartApeSG"
Scenario: Legitimate software update using SmartApeSG
Description: A software update process uses SmartApeSG as part of its deployment pipeline, which may be flagged by the rule.
Filter/Exclusion: process.name != "SmartApeSG" OR process.parent.name == "msiexec.exe"
Scenario: SmartApeSG used in a DevOps pipeline
Description: A DevOps engineer uses SmartApeSG as part of an automated CI/CD pipeline for testing or deployment, which may trigger the rule.
Filter/Exclusion: process.parent.name == "jenkins.exe" OR process.name != "SmartApeSG"