The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity associated with the SmartApeSG threat group, which is linked to malicious network traffic and command-and-control communications. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats leveraging this known malicious infrastructure.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 6 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://ironsignal.top/signup/version-script | payload_delivery | 2026-06-03 | 100% |
| domain | ironsignal.top | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://ironsignal.top/signup/signup-render.js | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://lucidgrovelab.top/tenant/handler-view | payload_delivery | 2026-06-03 | 100% |
| domain | lucidgrovelab.top | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://lucidgrovelab.top/tenant/session-schema.js | payload_delivery | 2026-06-03 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["ironsignal.top", "lucidgrovelab.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://ironsignal.top/signup/version-script", "https://ironsignal.top/signup/signup-render.js", "https://lucidgrovelab.top/tenant/handler-view", "https://lucidgrovelab.top/tenant/session-schema.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job execution
Description: A system administrator schedules a legitimate job using schtasks.exe to run a script that matches one of the IOCs (e.g., a script file path).
Filter/Exclusion: Exclude events where the process is schtasks.exe and the command line includes -create or -delete actions.
Scenario: Regular system maintenance using PowerShell
Description: A PowerShell script (powershell.exe) is executed as part of routine system maintenance, such as disk cleanup or log rotation, and the script path matches an IOC.
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes -Command with a known maintenance script or module.
Scenario: Admin tool usage for configuration management
Description: An admin uses Group Policy Management Console (GPMC) or gpupdate.exe to push configurations, and the tool or command matches an IOC.
Filter/Exclusion: Exclude events where the process is gpupdate.exe or gpmc.msc and the command line includes -force or -target.
Scenario: Legitimate software deployment via SCCM
Description: A Software Center or Configuration Manager (SCCM) task deploys software, and the deployment package or script path matches an IOC.
Filter/Exclusion: Exclude events where the process is ccmexec.exe or softwarecenter.exe and the command line includes -install or -deploy.
Scenario: Regular log analysis using SIEM tools
Description: A SIEM tool like Splunk or ELK runs a script or process that matches an IOC during log parsing or analysis.
Filter/Exclusion: Exclude events where the process is splunkd.exe, `