The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated and persistent threat actor.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 7 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://smoothcompass.top/scope/metrics-render | payload_delivery | 2026-05-28 | 100% |
| domain | smoothcompass.top | payload_delivery | 2026-05-28 | 100% |
| url | hxxps://smoothcompass.top/scope/beta-component.js | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://5[.]161[.]50[.]81 | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://5[.]78[.]74[.]208 | payload_delivery | 2026-05-28 | 100% |
| url | hxxps://blazingtunnelworks.com/up | payload_delivery | 2026-05-28 | 100% |
| domain | blazingtunnelworks.com | payload_delivery | 2026-05-28 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["smoothcompass.top", "blazingtunnelworks.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://smoothcompass.top/scope/metrics-render", "https://smoothcompass.top/scope/beta-component.js", "http://5.161.50.81", "http://5.78.74.208", "https://blazingtunnelworks.com/up"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the SmartApeSG IOCs, such as a PowerShell script used for system updates.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with the Task Scheduler service or with a command line containing schtasks.exe or scheduling in the command line.
Scenario: Admin Performing Log Collection via PowerShell
Description: An administrator uses PowerShell to collect logs, which may include commands or scripts that resemble SmartApeSG IOCs.
Filter/Exclusion: Exclude processes with the PowerShell executable launched by a user with administrative privileges and with a command line containing Get-EventLog, Get-Log, or Export-Log.
Scenario: Automated Backup Job Using rsync or Robocopy
Description: A backup job using rsync or Robocopy may include file paths or commands that match SmartApeSG IOCs.
Filter/Exclusion: Exclude processes with rsync, robocopy, or backup in the command line, especially when executed by a backup service account or during scheduled backup windows.
Scenario: Internal Monitoring Tool Using Netcat for Debugging
Description: A legitimate internal monitoring tool uses netcat to test connectivity or debug network issues, which may trigger the SmartApeSG IOC related to network tools.
Filter/Exclusion: Exclude processes involving netcat, nc, or nmap when executed from a known internal monitoring tool or by a network operations team user.
Scenario: User Running a Legitimate Malware Analysis Tool
Description: A security analyst runs a legitimate malware analysis tool (e.g., Cuckoo Sandbox, Joe Sandbox) that may include files or