The ThreatFox: AMOS IOCs rule detects potential adversary activity linked to the AMOS threat group, leveraging known indicators of compromise to identify malicious behavior in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be leveraging these IOCs to establish persistence or exfiltrate data.
IOC Summary
Malware Family: AMOS Total IOCs: 7 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://pewweepor092.com/gate/ledger-asar | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://pewweepor092.com/gate/atomic-asar | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://pewweepor092.com/gate/exodus-asar | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://pewweepor092.com/gate/ledgerlive-asar | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://pewweepor092.com/gate | botnet_cc | 2026-04-18 | 90% |
| url | hxxps://pewweepor092.com/gate/trezor-asar | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://pewweepor092.com/gate/chunk | botnet_cc | 2026-04-18 | 90% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - AMOS
let malicious_urls = dynamic(["https://pewweepor092.com/gate/ledger-asar", "https://pewweepor092.com/gate/atomic-asar", "https://pewweepor092.com/gate/exodus-asar", "https://pewweepor092.com/gate/ledgerlive-asar", "https://pewweepor092.com/gate", "https://pewweepor092.com/gate/trezor-asar", "https://pewweepor092.com/gate/chunk"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule due to the use of similar IOCs (e.g., network connections or file paths).
Filter/Exclusion: process.name != "veeambackup" OR process.parent.name != "veeambackup" OR file.path != "C:\\Program Files\\Veeam\\"
Scenario: Windows Task Scheduler Running Admin Tasks
Description: A legitimate Windows Task Scheduler job that performs routine administrative tasks (e.g., log cleanup, service restarts) may match the detection logic if it uses similar command-line arguments or file paths.
Filter/Exclusion: process.name != "schtasks.exe" OR process.parent.name != "services.exe" OR file.path != "C:\\Windows\\System32\\"
Scenario: Microsoft SQL Server Agent Job Execution
Description: A SQL Server Agent job that runs maintenance tasks (e.g., index rebuilds, backups) may trigger the rule if it uses similar network IOCs or file paths.
Filter/Exclusion: process.name != "sqlagent.exe" OR process.parent.name != "sqlservr.exe" OR file.path != "C:\\Program Files\\Microsoft SQL Server\\"
Scenario: PowerShell Script for System Monitoring Using PerfMon
Description: A PowerShell script that uses Performance Monitor (PerfMon) to collect system metrics may trigger the rule due to the use of similar command-line arguments or file paths.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "explorer.exe" OR file.path != "C:\\Windows\\System32\\WindowsPowerShell\\"
**Scenario: Docker Container Management via Docker