The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command and control communications. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 9 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://crystalforgeway.top/role/refresh-layout.js | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://crystalforgeway.top/role/role-view.js | payload_delivery | 2026-06-08 | 100% |
| domain | crystalforgeway.top | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://crystalforgeway.top/role/api-sessionstore | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://spaceco.com/ch | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://emberhorizon.top/role/role-view.js | payload_delivery | 2026-06-08 | 100% |
| domain | emberhorizon.top | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://emberhorizon.top/role/api-sessionstore | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://emberhorizon.top/role/refresh-layout.js | payload_delivery | 2026-06-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["crystalforgeway.top", "emberhorizon.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://crystalforgeway.top/role/refresh-layout.js", "https://crystalforgeway.top/role/role-view.js", "https://crystalforgeway.top/role/api-sessionstore", "https://spaceco.com/ch", "https://emberhorizon.top/role/role-view.js", "https://emberhorizon.top/role/api-sessionstore", "https://emberhorizon.top/role/refresh-layout.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using smartape command
Description: A system administrator schedules a job using the smartape tool for network monitoring or configuration management.
Filter/Exclusion: Exclude processes where the command line includes smartape and the parent process is a legitimate scheduler (e.g., cron, systemd, or task scheduler).
Scenario: Admin task involving SmartApeSG configuration
Description: A security or network admin is manually configuring SmartApeSG for compliance or audit purposes.
Filter/Exclusion: Exclude processes where the user is a privileged admin and the command line includes configuration or setup commands (e.g., smartape config, smartape setup).
Scenario: Legitimate use of SmartApeSG for log analysis
Description: A security analyst uses SmartApeSG to analyze log files for suspicious activity.
Filter/Exclusion: Exclude processes where the command line includes log analysis commands (e.g., smartape analyze logs) and the user is a security analyst with known access.
Scenario: Automated backup using SmartApeSG integration
Description: A backup system uses SmartApeSG as part of an automated backup process to archive sensitive data.
Filter/Exclusion: Exclude processes where the command line includes backup-related keywords (e.g., smartape backup, smartape archive) and the parent process is a known backup service.
Scenario: False positive from a third-party tool with similar name
Description: A third-party tool with a similar name to SmartApeSG is being used in the environment, triggering the rule due to name similarity.
Filter/Exclusion: Exclude processes where the full path or command line includes a known third-party tool name (e.g., `thirdparty-smart