The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 3 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://ivorycourtyard.top/middleware/version-schema | payload_delivery | 2026-06-19 | 100% |
| domain | ivorycourtyard.top | payload_delivery | 2026-06-19 | 100% |
| url | hxxps://ivorycourtyard.top/middleware/endpoint-asset.js | payload_delivery | 2026-06-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["ivorycourtyard.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://ivorycourtyard.top/middleware/version-schema", "https://ivorycourtyard.top/middleware/endpoint-asset.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: process.name != "system_maintenance_script.sh" or file.path != "/opt/maintenance/scripts/maintenance.sh"
Scenario: Admin Task – Log Collection via Logstash
Description: The Logstash tool is used to collect and forward logs, and its configuration files or binaries match the IOC pattern.
Filter/Exclusion: process.name != "logstash" or file.name != "logstash.conf"
Scenario: Software Update via Puppet or Ansible
Description: A Puppet or Ansible module is deployed that includes a file or command matching the IOC due to similar naming.
Filter/Exclusion: process.name != "puppet" or "ansible" or file.name != "update_module.sh"
Scenario: Database Backup Using mysqldump
Description: A database backup script using mysqldump includes a command that matches the IOC due to similar syntax.
Filter/Exclusion: process.name != "mysqldump" or command_line != "mysqldump -u user -p password dbname > backup.sql"
Scenario: Network Monitoring Tool – Wireshark Capture
Description: A Wireshark capture file or command line argument matches the IOC due to similar string patterns.
Filter/Exclusion: process.name != "wireshark" or file.name != "capture.pcap"