The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, which could signal the presence of novel or zero-day threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate emerging threats before they cause widespread damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 100 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://discord-verification.pro | payload_delivery | 2026-05-04 | 100% |
| domain | discord-verification.pro | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://elevatewiseai.com | payload_delivery | 2026-05-04 | 100% |
| domain | elevatewiseai.com | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://elevatenextai.com | payload_delivery | 2026-05-04 | 100% |
| domain | elevatenextai.com | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://elevateaiworld.com | payload_delivery | 2026-05-04 | 100% |
| domain | elevateaiworld.com | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://elevateaijourney.com | payload_delivery | 2026-05-04 | 100% |
| domain | elevateaijourney.com | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://egepenankara.com | payload_delivery | 2026-05-04 | 100% |
| domain | egepenankara.com | payload_delivery | 2026-05-04 | 100% |
| url | hxxp://download.perlesimmo.com | payload_delivery | 2026-05-04 | 100% |
| domain | download.perlesimmo.com | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://mpolinkalternatif.com | payload_delivery | 2026-05-04 | 100% |
| domain | mpolinkalternatif.com | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://klik-adzkia.com | payload_delivery | 2026-05-04 | 100% |
| domain | klik-adzkia.com | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://darkwolfapp.com | payload_delivery | 2026-05-04 | 100% |
| domain | darkwolfapp.com | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://cupangbiru007.xyz | payload_delivery | 2026-05-04 | 100% |
| domain | cupangbiru007.xyz | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://criptomaker.com.br | payload_delivery | 2026-05-04 | 100% |
| domain | criptomaker.com.br | payload_delivery | 2026-05-04 | 100% |
| url | hxxps://medikalmasoz.com | payload_delivery | 2026-05-04 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["discord-verification.pro", "elevatewiseai.com", "elevatenextai.com", "elevateaiworld.com", "elevateaijourney.com", "egepenankara.com", "download.perlesimmo.com", "mpolinkalternatif.com", "klik-adzkia.com", "darkwolfapp.com", "cupangbiru007.xyz", "criptomaker.com.br", "medikalmasoz.com", "usprediksi.com", "thehorrorvault.net", "teqwisefiji.com", "rizziaja.my.id", "resumodamoda.com", "krishnabiketech.in", "quotesgenerator.co", "fiveminuteschess.com", "club21ids.org", "beritaslotonline.com", "unikasegurancahumanizada.com.br", "tscrpos.xyz", "sawitgokil.com", "jacksonmemorial.net", "iiiemjobs.com", "financiallywellorganised.com", "empowermentleaders.com", "antlermotel.com.au", "ikebanamaldives.com", "cosconbd.com", "com.allteam-2.site", "cocomaya.com.bd", "clubinho.assessoriasalus.com.br", "club21idsofficial.com", "club21ids.space", "club21ids.online", "club21ids.co", "cloudflare-resolve-to.rossehijos.cl", "cloud01.bettafishstore.com", "clientesvpn.egbrewview.com", "ck-report.online", "ciruestetica.com", "busslercreate.com", "busslercraft.com", "busslerconsultancy.com", "busslercollective.com", "busslerbrand.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://discord-verification.pro", "https://elevatewiseai.com", "https://elevatenextai.com", "https://elevateaiworld.com", "https://elevateaijourney.com", "https://egepenankara.com", "http://download.perlesimmo.com", "https://mpolinkalternatif.com", "https://klik-adzkia.com", "https://darkwolfapp.com", "https://cupangbiru007.xyz", "https://criptomaker.com.br", "https://medikalmasoz.com", "https://usprediksi.com", "https://thehorrorvault.net", "https://teqwisefiji.com", "https://rizziaja.my.id", "https://resumodamoda.com", "https://krishnabiketech.in", "https://quotesgenerator.co", "https://fiveminuteschess.com", "https://club21ids.org", "https://beritaslotonline.com", "https://unikasegurancahumanizada.com.br", "https://tscrpos.xyz", "https://sawitgokil.com", "https://jacksonmemorial.net", "https://iiiemjobs.com", "https://financiallywellorganised.com", "https://empowermentleaders.com"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known internal repository.
Filter/Exclusion: Exclude IOCs related to internal IP ranges or domains used by the company’s update servers, e.g., ip.src == 10.0.0.0/8 or domain == internal-update.example.com.
Scenario: A DevOps team is using Ansible to deploy configuration changes across multiple servers, which involves executing scripts that temporarily access external repositories.
Filter/Exclusion: Exclude IOCs associated with known Ansible control nodes or repositories used for infrastructure as code, e.g., domain == git.example.com or process.name == ansible.
Scenario: A security analyst is performing a Windows Event Log analysis using PowerShell to query and export logs to a local file for forensic review.
Filter/Exclusion: Exclude IOCs related to PowerShell scripts executed by the security team, e.g., process.name == powershell.exe and process.user == security-team-user.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to run a scheduled backup job that connects to a remote backup server.
Filter/Exclusion: Exclude IOCs related to the backup server’s IP address or domain, e.g., ip.dst == 192.168.1.100 or domain == backup.example.com.
Scenario: A developer is using Git to push code changes to a remote repository, which involves temporary access to external Git services for pull requests or CI/CD pipelines.
Filter/Exclusion: Exclude IOCs related to the company’s Git hosting service, e.g., domain == gitlab.example.com or process.name == git.