The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command and control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 3 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://vividtunnellab.top/public/acl-partial | payload_delivery | 2026-06-04 | 100% |
| domain | vividtunnellab.top | payload_delivery | 2026-06-04 | 100% |
| url | hxxps://vividtunnellab.top/public/token-json.js | payload_delivery | 2026-06-04 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["vividtunnellab.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://vividtunnellab.top/public/acl-partial", "https://vividtunnellab.top/public/token-json.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using smartape command
Description: A system administrator schedules a job using the smartape command for routine system diagnostics.
Filter/Exclusion: Exclude processes where the command line includes smartape and the process is associated with a known administrative task (e.g., smartape --diagnostic).
Scenario: Automated backup tool using SmartApeSG API
Description: A backup tool integrates with SmartApeSG API to perform data synchronization tasks.
Filter/Exclusion: Exclude processes where the parent process is a known backup service (e.g., backupd, rsync, or vssadmin) and the command line includes API-related arguments.
Scenario: System update using SmartApeSG package manager
Description: A system update is initiated via the SmartApeSG package manager to install critical security patches.
Filter/Exclusion: Exclude processes where the command line includes smartape update and the process is initiated by a known update manager (e.g., yum, apt, or zypper).
Scenario: Log analysis tool parsing SmartApeSG logs
Description: A log analysis tool is configured to parse logs generated by SmartApeSG for troubleshooting purposes.
Filter/Exclusion: Exclude processes where the command line includes smartape log and the process is associated with a known log analysis tool (e.g., logrotate, splunk, or ELK stack).
Scenario: Custom script for monitoring SmartApeSG services
Description: A custom script is used to monitor the status of SmartApeSG services and send alerts.
Filter/Exclusion: Exclude processes where the script is owned by a known monitoring user (e.g., nagios, `