The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 4 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://jadepassagehub.top/rate/metrics-json.js | payload_delivery | 2026-06-15 | 100% |
| domain | jadepassagehub.top | payload_delivery | 2026-06-15 | 100% |
| url | hxxps://jadepassagehub.top/rate/legacy-fetch | payload_delivery | 2026-06-15 | 100% |
| url | hxxps://jadepassagehub.top/rate/reset-dom.js | payload_delivery | 2026-06-15 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["jadepassagehub.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://jadepassagehub.top/rate/metrics-json.js", "https://jadepassagehub.top/rate/legacy-fetch", "https://jadepassagehub.top/rate/reset-dom.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\Tasks\maintenance.ps1).
Filter/Exclusion: process.name != "powershell.exe" OR file.path != "C:\Windows\System32\Tasks\*"
Scenario: Admin Performing Log Collection via PowerShell
Description: An administrator uses PowerShell to collect logs from remote servers, which may include commands or paths resembling malicious activity.
Filter/Exclusion: user.name == "admin" AND process.name != "powershell.exe" OR process.arguments NOT LIKE "*-File*"
Scenario: Legitimate Software Installation via Group Policy
Description: A Group Policy Object (GPO) deploys a legitimate application that includes a script or executable matching the IOC.
Filter/Exclusion: process.parent_process_name == "gpupdate.exe" OR file.path LIKE "%SoftwareDeployment%"
Scenario: Database Backup Job Using SQLCMD
Description: A database backup job uses sqlcmd to execute a script that includes command-line arguments matching the IOC.
Filter/Exclusion: process.name == "sqlcmd.exe" OR process.arguments LIKE "%-S%"
Scenario: Security Tool Performing Threat Intelligence Lookup
Description: A security tool like CrowdStrike or SentinelOne performs a threat intelligence lookup using the SmartApeSG IOC as part of its analysis.
Filter/Exclusion: process.name IN ("crowdstrike.exe", "sentinelone.exe") OR process.parent_process_name == "threatintel.exe"