The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 6 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://kymli2ren.digital/script.sh | payload_delivery | 2026-04-21 | 100% |
| domain | kymli2ren.digital | payload_delivery | 2026-04-21 | 100% |
| domain | outlastmods.com | payload_delivery | 2026-04-21 | 100% |
| url | hxxps://nenadopapa.cfd/cf.js?v=2 | payload_delivery | 2026-04-21 | 75% |
| url | hxxps://nenadopapa.cfd/api/index.php?a=init | payload_delivery | 2026-04-21 | 75% |
| domain | blzaeagent.com | botnet_cc | 2026-04-21 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["kymli2ren.digital", "outlastmods.com", "blzaeagent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://kymli2ren.digital/script.sh", "https://nenadopapa.cfd/cf.js?v=2", "https://nenadopapa.cfd/api/index.php?a=init"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known Microsoft server.
Filter/Exclusion: Exclude IOCs that match known Microsoft update servers (e.g., download.microsoft.com, windowsupdate.microsoft.com).
Scenario: A DevOps engineer is using Ansible to deploy a configuration management script that includes a known benign IP address used for internal tooling.
Filter/Exclusion: Exclude IP addresses that are part of the internal network or whitelisted in the DevOps tooling configuration.
Scenario: A database administrator is using SQL Server Agent to run a job that connects to a remote database using a legitimate third-party tool like SQL Server Management Studio (SSMS).
Filter/Exclusion: Exclude connections to known internal databases or tools that are part of the enterprise database infrastructure.
Scenario: A security analyst is using Wireshark to analyze network traffic and is capturing packets from a legitimate endpoint that is communicating with a known threat intelligence server.
Filter/Exclusion: Exclude traffic originating from or destined for known threat intelligence platforms like ThreatFox or VirusTotal.
Scenario: A system administrator is using Windows Task Scheduler to run a script that queries a public threat intelligence API (e.g., AlienVault OTX) as part of a routine security check.
Filter/Exclusion: Exclude API calls to known threat intelligence services or endpoints used for legitimate security monitoring.