The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated and persistent threat actor.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 7 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://bronzepavilion.top/signin/auth-json | payload_delivery | 2026-06-12 | 100% |
| domain | bronzepavilion.top | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://bronzepavilion.top/signin/route-script.js | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://linenvoyage.top/signin/profile-parser.js | payload_delivery | 2026-06-12 | 100% |
| domain | linenvoyage.top | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://linenvoyage.top/signin/auth-json | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://linenvoyage.top/signin/route-script.js | payload_delivery | 2026-06-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["bronzepavilion.top", "linenvoyage.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://bronzepavilion.top/signin/auth-json", "https://bronzepavilion.top/signin/route-script.js", "https://linenvoyage.top/signin/profile-parser.js", "https://linenvoyage.top/signin/auth-json", "https://linenvoyage.top/signin/route-script.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the SmartApeSG IOCs (e.g., a PowerShell script used for system updates).
Filter/Exclusion: process.name != "schtasks.exe" OR process.args NOT LIKE "*update*"
Scenario: Admin Performing Log Collection via PowerShell
Description: An admin uses PowerShell to collect logs, which may include commands or paths that match SmartApeSG IOCs.
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE "*log*"
Scenario: Database Backup Job Using SQLCMD
Description: A scheduled SQLCMD job runs to back up a database, and the command line includes a path or argument that matches an IOC.
Filter/Exclusion: process.name != "sqlcmd.exe" OR process.args NOT LIKE "*backup*"
Scenario: Antivirus Scan Using ClamAV
Description: ClamAV performs a scan and generates output that includes a file path or hash matching a SmartApeSG IOC.
Filter/Exclusion: process.name != "clamscan.exe" OR process.args NOT LIKE "*scan*"
Scenario: Internal Tool for Configuration Management
Description: A company-specific configuration management tool (e.g., configmgr.exe) uses a script or command that matches an IOC.
Filter/Exclusion: process.name != "configmgr.exe" OR process.args NOT LIKE "*config*"