The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 7 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://lucidgardenhub.top/role/acl-request | payload_delivery | 2026-05-25 | 100% |
| domain | lucidgardenhub.top | payload_delivery | 2026-05-25 | 100% |
| url | hxxp://5[.]78[.]219[.]202 | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://lucidgardenhub.top/role/reset-theme.js | payload_delivery | 2026-05-25 | 100% |
| url | hxxp://5[.]78[.]214[.]140 | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://brightvoyagerstudio.com/studio | payload_delivery | 2026-05-25 | 100% |
| domain | brightvoyagerstudio.com | payload_delivery | 2026-05-25 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["lucidgardenhub.top", "brightvoyagerstudio.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://lucidgardenhub.top/role/acl-request", "http://5.78.219.202", "https://lucidgardenhub.top/role/reset-theme.js", "http://5.78.214.140", "https://brightvoyagerstudio.com/studio"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using smartape tool for log analysis
Filter/Exclusion: Exclude processes where the command line includes --log or --analyze flags associated with the smartape tool used for log processing.
Scenario: System administrator using smartape for configuration backup
Filter/Exclusion: Exclude processes initiated by the root or admin user with command lines containing --backup or --config parameters.
Scenario: Scheduled system cleanup using smartape for temporary file management
Filter/Exclusion: Exclude processes with command lines containing --cleanup or --temp and executed via a cron job or task scheduler.
Scenario: Development team using smartape for testing internal payloads
Filter/Exclusion: Exclude processes running in a development environment (e.g., dev or test directories) and where the command line includes --test or --simulate.
Scenario: Network monitoring tool using smartape for traffic analysis
Filter/Exclusion: Exclude processes where the command line includes --network or --traffic and the process is associated with a known network monitoring tool like tcpdump or Wireshark.