The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malicious network traffic and credential compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 3 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://bronzepavilion.top/signin/auth-json | payload_delivery | 2026-06-12 | 100% |
| domain | bronzepavilion.top | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://bronzepavilion.top/signin/route-script.js | payload_delivery | 2026-06-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["bronzepavilion.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://bronzepavilion.top/signin/auth-json", "https://bronzepavilion.top/signin/route-script.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: process.name != "system_maintenance_script.sh" or file.path not contains "scheduled_jobs"
Scenario: Admin Task - Log File Analysis
Description: An administrator is analyzing log files using a tool like logrotate or rsyslog, which may trigger the IOC due to similar file names or command-line arguments.
Filter/Exclusion: process.name not contains "logrotate" or process.name not contains "rsyslog"
Scenario: Software Update Process
Description: A legitimate software update process (e.g., using yum, apt, or msiexec) may trigger the rule due to matching command-line arguments or file paths.
Filter/Exclusion: process.name not contains "yum" or process.name not contains "msiexec"
Scenario: Database Backup Job
Description: A database backup tool like mysqldump or pg_dump may generate files or commands that resemble the IOC pattern.
Filter/Exclusion: process.name not contains "mysqldump" or process.name not contains "pg_dump"
Scenario: Network Monitoring Tool Usage
Description: A network monitoring tool like tcpdump or Wireshark may generate files or commands that match the IOC pattern.
Filter/Exclusion: process.name not contains "tcpdump" or process.name not contains "wireshark"