← Back to SOC feed Coverage →

ThreatFox: SmartApeSG IOCs

ioc-hunt HIGH ThreatFox
DnsEventsUrlClickEvents
iocjs-smartapesgthreatfox
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at ThreatFox →
Retrieved: 2026-06-10T11:00:00Z · Confidence: high

Hunt Hypothesis

The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malicious network traffic and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise by a sophisticated threat actor leveraging known malicious infrastructure.

IOC Summary

Malware Family: SmartApeSG Total IOCs: 3 IOC Types: domain, url

TypeValueThreat TypeFirst SeenConfidence
urlhxxps://saffronecho.top/redirect/gateway-utilpayload_delivery2026-06-10100%
domainsaffronecho.toppayload_delivery2026-06-10100%
urlhxxps://saffronecho.top/redirect/middleware-validator.jspayload_delivery2026-06-10100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["saffronecho.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://saffronecho.top/redirect/gateway-util", "https://saffronecho.top/redirect/middleware-validator.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
DnsEventsEnsure this data connector is enabled
UrlClickEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://threatfox.abuse.ch/browse/malware/js.smartapesg/