The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 4 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://jadepassagehub.top/rate/metrics-json.js | payload_delivery | 2026-06-15 | 100% |
| domain | jadepassagehub.top | payload_delivery | 2026-06-15 | 100% |
| url | hxxps://jadepassagehub.top/rate/legacy-fetch | payload_delivery | 2026-06-15 | 100% |
| url | hxxps://jadepassagehub.top/rate/reset-dom.js | payload_delivery | 2026-06-15 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["jadepassagehub.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://jadepassagehub.top/rate/metrics-json.js", "https://jadepassagehub.top/rate/legacy-fetch", "https://jadepassagehub.top/rate/reset-dom.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: process.name != "maintenance_script.sh" OR process.name != "sysmaint.exe"
Scenario: Admin Performing Log Analysis with LogParser
Description: An admin uses LogParser to analyze logs, and the tool’s command line arguments match the IOC pattern.
Filter/Exclusion: process.name != "logparser.exe" OR process.args NOT LIKE "%-i %log_file%"
Scenario: Automated Backup Job Using Veeam Backup & Replication
Description: A backup job initiated by Veeam includes files or paths that resemble the IOC due to naming conventions.
Filter/Exclusion: process.name != "veeam.exe" OR process.args NOT LIKE "%backup%"
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script used for system monitoring (e.g., using Get-EventLog) includes commands that match the IOC pattern.
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE "-Command"
Scenario: Database Maintenance Task Using SQL Server Agent
Description: A SQL Server Agent job runs a T-SQL script that includes commands matching the IOC due to similar syntax.
Filter/Exclusion: process.name != "sqlagent.exe" OR process.args NOT LIKE "-JobName %maintenance%"