The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious artifacts that may indicate the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 12 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ns-server-jscdn.beer | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://prismlogic.cfd/ext[.]7386dce06075.js | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://prismlogic.cfd/ext-b.b83518636a91.js | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://prismlogic.cfd/t[.]188cfd3975db.js | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://prismlogic.cfd/t.js?site= | payload_delivery | 2026-04-20 | 100% |
| domain | prismlogic.cfd | payload_delivery | 2026-04-20 | 100% |
| domain | ts.bhaaratkeeshakti.vip | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://invite.clararise.xyz/Windows/ScreenConnect.ClientSetup.exe | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://invite.clararise.xyz/Windows/invite.php | payload_delivery | 2026-04-20 | 100% |
| domain | invite.clararise.xyz | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://lcstdnsns.beer/api/css.js | payload_delivery | 2026-04-20 | 100% |
| domain | lcstdnsns.beer | payload_delivery | 2026-04-20 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["ns-server-jscdn.beer", "prismlogic.cfd", "ts.bhaaratkeeshakti.vip", "invite.clararise.xyz", "lcstdnsns.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://prismlogic.cfd/ext.7386dce06075.js", "https://prismlogic.cfd/ext-b.b83518636a91.js", "https://prismlogic.cfd/t.188cfd3975db.js", "https://prismlogic.cfd/t.js?site=", "https://invite.clararise.xyz/Windows/ScreenConnect.ClientSetup.exe", "https://invite.clararise.xyz/Windows/invite.php", "https://lcstdnsns.beer/api/css.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known Microsoft server.
Filter/Exclusion: Exclude all PowerShell scripts that originate from https://download.microsoft.com or use the Invoke-WebRequest cmdlet with Microsoft-signed certificates.
Scenario: A database administrator is using SQL Server Agent to execute a backup job that writes to a network share.
Filter/Exclusion: Exclude all file IOCs related to \\server\backup\ or any path containing SQLServerBackup.
Scenario: A DevOps engineer is using Ansible to deploy a configuration management script that temporarily writes to a log file on a remote server.
Filter/Exclusion: Exclude all file IOCs that match the pattern */var/log/ansible* or are associated with Ansible playbook execution.
Scenario: A system administrator is using Windows Task Scheduler to run a script that queries internal Active Directory for user information.
Filter/Exclusion: Exclude all IOCs related to adfs or ldap protocols, or any file paths containing ADSI or ActiveDirectory.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic for a forensic investigation.
Filter/Exclusion: Exclude all network IOCs related to Wireshark or any process with the name tshark.exe or wireshark.exe.