The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 8 IOC Types: sha256_hash, ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://silentmatrix.top/proxy/logout-client.php | payload_delivery | 2026-05-05 | 100% |
| domain | silentmatrix.top | payload_delivery | 2026-05-05 | 100% |
| url | hxxps://silentmatrix.top/proxy/acl-pipeline.js | payload_delivery | 2026-05-05 | 100% |
| sha256_hash | 16cfe58eab4573ff575c563839e65474da5569247d55fbb59fd56f2684cec610 | payload | 2026-05-05 | 75% |
| sha256_hash | 8e1ed8998519001d4f4af8e1fe9381950cf9c2501ca1b25c414712d29966aee6 | payload | 2026-05-05 | 75% |
| sha256_hash | 97f3bdf6db1c274da0e5e653ef59f49514f6d7ed531138f487912d1f9a8fac1c | payload | 2026-05-05 | 75% |
| ip:port | 144[.]208[.]127[.]215:443 | payload_delivery | 2026-05-05 | 75% |
| ip:port | 144[.]208[.]127[.]163:443 | payload_delivery | 2026-05-05 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SmartApeSG
let malicious_ips = dynamic(["144.208.127.163", "144.208.127.215"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["144.208.127.163", "144.208.127.215"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["silentmatrix.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://silentmatrix.top/proxy/logout-client.php", "https://silentmatrix.top/proxy/acl-pipeline.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - SmartApeSG
let malicious_hashes = dynamic(["16cfe58eab4573ff575c563839e65474da5569247d55fbb59fd56f2684cec610", "8e1ed8998519001d4f4af8e1fe9381950cf9c2501ca1b25c414712d29966aee6", "97f3bdf6db1c274da0e5e653ef59f49514f6d7ed531138f487912d1f9a8fac1c"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the SmartApeSG IOCs, such as a PowerShell script used for system updates or patch management.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with the TaskName containing “SystemMaintenance” or “PatchManagement”.
Scenario: Admin Tool for Log Management
Description: An enterprise log management tool (e.g., Splunk, ELK Stack) uses a script or binary that matches an IOC from SmartApeSG during log ingestion or parsing.
Filter/Exclusion: Exclude processes running under the splunk or logstash user, or filter by ProcessName like splunkd.exe or logstash.
Scenario: Database Backup Job
Description: A database backup job (e.g., using sqlbackup.exe or mysqldump) generates a file or command line that matches an IOC associated with SmartApeSG.
Filter/Exclusion: Exclude processes with CommandLine containing backup, restore, or dump, or filter by ProcessName like sqlbackup.exe.
Scenario: Network Monitoring Tool Execution
Description: A network monitoring tool (e.g., Wireshark, PRTG) uses a binary or script that matches an IOC from SmartApeSG during data collection or analysis.
Filter/Exclusion: Exclude processes with ProcessName like wireshark.exe or prtg_agent.exe, or filter by User to exclude non-admin users.
Scenario: Security Software Update
Description: A legitimate security software update (e.g., from CrowdStrike, CrowdStrike Falcon) includes a binary or script that matches an IOC from SmartApeSG during installation.