The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 14 IOC Types: sha256_hash, url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 4eae39295458ac7a02bb837e0c82eecda3925f50dae684168bc0b203a89c53e2 | payload | 2026-05-27 | 75% |
| sha256_hash | 5ff519ad6347e7df1bb14e2bc15d72f4b26290da2e642c8a65fb8d4736f23022 | payload | 2026-05-27 | 75% |
| url | hxxps://rapidcanvas.top/signin/private-template | payload_delivery | 2026-05-27 | 100% |
| domain | rapidcanvas.top | payload_delivery | 2026-05-27 | 100% |
| url | hxxps://rapidcanvas.top/signin/legacy-worker.js | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://178[.]156[.]165[.]82 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://178[.]156[.]173[.]194 | payload_delivery | 2026-05-27 | 100% |
| url | hxxps://silverharvestnetwork.com/check | payload_delivery | 2026-05-27 | 100% |
| domain | silverharvestnetwork.com | payload_delivery | 2026-05-27 | 100% |
| url | hxxps://hiddenplanetlab.top/signin/private-template | payload_delivery | 2026-05-27 | 100% |
| domain | hiddenplanetlab.top | payload_delivery | 2026-05-27 | 100% |
| url | hxxps://hiddenplanetlab.top/signin/legacy-worker.js | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://178[.]156[.]231[.]32 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://5[.]78[.]209[.]255 | payload_delivery | 2026-05-27 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["rapidcanvas.top", "silverharvestnetwork.com", "hiddenplanetlab.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://rapidcanvas.top/signin/private-template", "https://rapidcanvas.top/signin/legacy-worker.js", "http://178.156.165.82", "http://178.156.173.194", "https://silverharvestnetwork.com/check", "https://hiddenplanetlab.top/signin/private-template", "https://hiddenplanetlab.top/signin/legacy-worker.js", "http://178.156.231.32", "http://5.78.209.255"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - SmartApeSG
let malicious_hashes = dynamic(["4eae39295458ac7a02bb837e0c82eecda3925f50dae684168bc0b203a89c53e2", "5ff519ad6347e7df1bb14e2bc15d72f4b26290da2e642c8a65fb8d4736f23022"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOCs due to its file name or command-line arguments.
Filter/Exclusion: Exclude tasks with taskname containing “SystemMaintenance” or “ScheduledTask” and check for process.parent_process matching known system services (e.g., schtasks.exe).
Scenario: Admin Performing Log Analysis with PowerShell
Description: An admin uses PowerShell to analyze logs, and the script name or command-line arguments resemble malicious activity.
Filter/Exclusion: Exclude processes with process.name equal to powershell.exe and process.parent_process matching administrative tools like taskmgr.exe or mmc.exe.
Scenario: Legitimate Software Update Job
Description: A software update job downloads a file that matches an IOC due to its hash or filename.
Filter/Exclusion: Exclude processes where process.name is msiexec.exe or setup.exe, and check for process.parent_process matching a known update management tool (e.g., WindowsUpdate.exe).
Scenario: Database Backup Job Using SQLCMD
Description: A database backup job uses sqlcmd to execute a script that contains strings matching the IOC pattern.
Filter/Exclusion: Exclude processes where process.name is sqlcmd.exe and process.parent_process matches a known database service (e.g., sqlservr.exe).
Scenario: User Running a Custom Script for Data Processing
Description: A user runs a custom script for data processing that includes command-line arguments similar to the IOC.
Filter/Exclusion: Exclude processes where process.name is python.exe or node.exe and check for user.name matching a known trusted user