The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command and control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 3 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://shadowcompass.top/public/acl-partial | payload_delivery | 2026-06-05 | 100% |
| domain | shadowcompass.top | payload_delivery | 2026-06-05 | 100% |
| url | hxxps://shadowcompass.top/public/token-json.js | payload_delivery | 2026-06-05 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["shadowcompass.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://shadowcompass.top/public/acl-partial", "https://shadowcompass.top/public/token-json.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using smartape command for system monitoring
Filter/Exclusion: Exclude processes where the command line includes smartape and is part of a known system monitoring tool (e.g., smartape used by a legitimate monitoring solution like Zabbix or Nagios).
Scenario: Admin task to update SmartApeSG configuration files
Filter/Exclusion: Exclude file access events where the file path contains SmartApeSG/config and the user is a system administrator with elevated privileges.
Scenario: Legitimate use of SmartApeSG for log aggregation in a hybrid cloud environment
Filter/Exclusion: Exclude network connections to SmartApeSG endpoints that are part of a known cloud infrastructure (e.g., AWS or Azure services) and are associated with log aggregation tools like ELK Stack or Splunk.
Scenario: False positive from a third-party tool that uses SmartApeSG as a dependency
Filter/Exclusion: Exclude processes where the parent process is a known third-party tool (e.g., Docker, Kubernetes, or Ansible) and the SmartApeSG usage is part of a legitimate dependency chain.
Scenario: Legitimate use of SmartApeSG for internal data synchronization between servers
Filter/Exclusion: Exclude network traffic between internal servers where the source and destination IPs are within the organization’s private network and the traffic is part of a known internal synchronization process.