The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command and control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 7 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://thunderplanethub.top/role/rate-hook | payload_delivery | 2026-05-23 | 100% |
| domain | thunderplanethub.top | payload_delivery | 2026-05-23 | 100% |
| url | hxxps://thunderplanethub.top/role/principal-validator.js | payload_delivery | 2026-05-23 | 100% |
| url | hxxp://178[.]156[.]199[.]54 | payload_delivery | 2026-05-23 | 100% |
| url | hxxp://5[.]161[.]235[.]47 | payload_delivery | 2026-05-23 | 100% |
| url | hxxps://northernbridgeworks.com/more | payload_delivery | 2026-05-23 | 100% |
| domain | northernbridgeworks.com | payload_delivery | 2026-05-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["thunderplanethub.top", "northernbridgeworks.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://thunderplanethub.top/role/rate-hook", "https://thunderplanethub.top/role/principal-validator.js", "http://178.156.199.54", "http://5.161.235.47", "https://northernbridgeworks.com/more"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches one of the SmartApeSG IOCs, such as a known system maintenance tool or script.
Filter/Exclusion: process.name != "system_maintenance_script.sh" or process.parent_process.name != "cron"
Scenario: Admin Task Using PowerShell for Log Analysis
Description: An admin uses PowerShell to analyze logs, and the script path or command line matches an IOC associated with SmartApeSG.
Filter/Exclusion: process.name != "powershell.exe" or process.command_line not contains "log_analysis"
Scenario: Legitimate Software Update Process
Description: A software update process downloads a file that matches an IOC from SmartApeSG, such as a legitimate update package.
Filter/Exclusion: file.name != "update_package.exe" or file.hash != "known_legit_hash"
Scenario: Database Backup Job Using SQL Script
Description: A database backup job uses a SQL script that contains a string matching an IOC, such as a backup utility or command.
Filter/Exclusion: process.name != "sqlbackup.exe" or process.command_line not contains "backup"
Scenario: User-Initiated File Transfer via SCP
Description: A user transfers files using SCP, and the command line or file path matches an IOC, such as a legitimate file transfer tool.
Filter/Exclusion: process.name != "scp" or process.command_line not contains "secure_copy"