The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 7 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://saffronarchivehub.top/role/policy-sessionstore.js | payload_delivery | 2026-06-11 | 100% |
| domain | saffronarchivehub.top | payload_delivery | 2026-06-11 | 100% |
| url | hxxps://saffronarchivehub.top/role/health-json | payload_delivery | 2026-06-11 | 100% |
| url | hxxps://saffronarchivehub.top/role/redirect-html.js | payload_delivery | 2026-06-11 | 100% |
| url | hxxps://alabastermarket.top/role/health-json | payload_delivery | 2026-06-11 | 100% |
| domain | alabastermarket.top | payload_delivery | 2026-06-11 | 100% |
| url | hxxps://alabastermarket.top/role/redirect-html.js | payload_delivery | 2026-06-11 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["saffronarchivehub.top", "alabastermarket.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://saffronarchivehub.top/role/policy-sessionstore.js", "https://saffronarchivehub.top/role/health-json", "https://saffronarchivehub.top/role/redirect-html.js", "https://alabastermarket.top/role/health-json", "https://alabastermarket.top/role/redirect-html.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running SmartApeSG tool for data migration
Filter/Exclusion: Exclude processes initiated by the system scheduler (ps -e -o pid,cmd,args | grep -i 'cron' or ps -e -o pid,cmd,args | grep -i 'at') or processes with cmdline containing smartapesg migrate
Scenario: Admin performing a system audit using SmartApeSG for log analysis
Filter/Exclusion: Exclude processes with cmdline containing smartapesg audit or smartapesg log and user is a system admin (e.g., uid=0 or user=root)
Scenario: Regular use of SmartApeSG for data synchronization between servers
Filter/Exclusion: Exclude processes with cmdline containing smartapesg sync and source/destination IPs are known internal network ranges (e.g., 10.0.0.0/8, 192.168.0.0/16)
Scenario: SmartApeSG used as part of a CI/CD pipeline for automated testing
Filter/Exclusion: Exclude processes with cmdline containing smartapesg test or smartapesg ci and running under a CI/CD user (e.g., jenkins, gitlab-runner)
Scenario: SmartApeSG used for legitimate endpoint monitoring and threat detection
Filter/Exclusion: Exclude processes with cmdline containing smartapesg monitor or smartapesg detect and running under a dedicated monitoring service account (e.g., monitoring, security-team)