ThreatFox: SmartApeSG IOCs

Hunt Hypothesis

The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.

IOC Summary

Malware Family: SmartApeSG Total IOCs: 8 IOC Types: domain, url

Type	Value	Threat Type	First Seen	Confidence
url	`hxxps://coralregistry.top/middleware/role-render.js`	payload_delivery	2026-06-20	100%
domain	`coralregistry.top`	payload_delivery	2026-06-20	100%
url	`hxxps://coralregistry.top/middleware/endpoint-asset.js`	payload_delivery	2026-06-20	100%
url	`hxxps://coralregistry.top/middleware/version-schema`	payload_delivery	2026-06-20	100%
url	`hxxps://ivorycourtyard.top/middleware/role-render.js`	payload_delivery	2026-06-20	100%
url	`hxxps://ivorycourtyard.top/middleware/version-schema`	payload_delivery	2026-06-19	100%
domain	`ivorycourtyard.top`	payload_delivery	2026-06-19	100%
url	`hxxps://ivorycourtyard.top/middleware/endpoint-asset.js`	payload_delivery	2026-06-19	100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["coralregistry.top", "ivorycourtyard.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://coralregistry.top/middleware/role-render.js", "https://coralregistry.top/middleware/endpoint-asset.js", "https://coralregistry.top/middleware/version-schema", "https://ivorycourtyard.top/middleware/role-render.js", "https://ivorycourtyard.top/middleware/version-schema", "https://ivorycourtyard.top/middleware/endpoint-asset.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DnsEvents`	Ensure this data connector is enabled
`UrlClickEvents`	Ensure this data connector is enabled

References

ThreatFox — SmartApeSG

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the SmartApeSG IOCs (e.g., a PowerShell script used for system updates).
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks"
Scenario: Admin Performing Disk Cleanup
Description: An admin uses a tool like Disk Cleanup or cleanmgr.exe which may have a file path or command line that resembles a SmartApeSG IOC.
Filter/Exclusion: process.name == "cleanmgr.exe" or process.file_path contains "cleanmgr.exe"
Scenario: Legitimate Log Collection Tool
Description: A tool like LogParser or Windows Event Collector is used to gather logs and may have a command line or file path that matches a SmartApeSG IOC.
Filter/Exclusion: process.name == "logparser.exe" or process.file_path contains "LogParser.exe"
Scenario: Automated Patching Job
Description: A patching tool like Windows Update or WSUS runs a script or executable that matches an IOC associated with SmartApeSG.
Filter/Exclusion: process.name == "wusa.exe" or process.file_path contains "wusa.exe"
Scenario: Internal Monitoring Tool Execution
Description: A monitoring tool like PRTG or Nagios executes a script or binary that has a file name or command line matching a SmartApeSG IOC.
Filter/Exclusion: process.name == "prtg_agent.exe" or process.file_path contains "PRTG"