The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, suggesting the presence of unknown malware in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 21 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 38[.]207[.]177[.]71:7443 | botnet_cc | 2026-06-24 | 75% |
| url | hxxps://doc.eagle-web-concept.fr/matin/rend | payload_delivery | 2026-06-24 | 75% |
| url | hxxps://www.campeggioletizialivigno.it/ | payload_delivery | 2026-06-24 | 90% |
| domain | topclouddefence.com | payload_delivery | 2026-06-24 | 100% |
| domain | gatekeepernet.com | payload_delivery | 2026-06-24 | 100% |
| domain | captchadefence.com | payload_delivery | 2026-06-24 | 100% |
| domain | personalprogrammupdater.com | payload_delivery | 2026-06-24 | 100% |
| url | hxxps://superboomer.world/ | payload_delivery | 2026-06-24 | 90% |
| url | hxxps://merkantalolol.asia/ | payload_delivery | 2026-06-24 | 90% |
| url | hxxps://centrodeinfusaocuritiba.com.br/connatural/shortsighted | payload_delivery | 2026-06-24 | 75% |
| url | hxxps://demo.alkhateeb.ae/yachted/sibling/ | payload_delivery | 2026-06-24 | 75% |
| ip:port | 45[.]131[.]214[.]241:34267 | botnet_cc | 2026-06-24 | 75% |
| url | hxxps://chsaleem.com/ | payload_delivery | 2026-06-24 | 90% |
| url | hxxps://priestsassembly.org/ | payload_delivery | 2026-06-24 | 90% |
| url | hxxps://bearsheartstudios.com/ | payload_delivery | 2026-06-24 | 90% |
| url | hxxps://thungracbinhduong.com/ | payload_delivery | 2026-06-24 | 90% |
| ip:port | 149[.]248[.]3[.]38:9960 | payload_delivery | 2026-06-24 | 75% |
| ip:port | 23[.]27[.]120[.]240:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 109[.]104[.]154[.]116:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 91[.]92[.]242[.]235:7443 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 102[.]117[.]173[.]226:7443 | botnet_cc | 2026-06-23 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["38.207.177.71", "102.117.173.226", "23.27.120.240", "91.92.242.235", "149.248.3.38", "109.104.154.116", "45.131.214.241"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.207.177.71", "102.117.173.226", "23.27.120.240", "91.92.242.235", "149.248.3.38", "109.104.154.116", "45.131.214.241"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["topclouddefence.com", "gatekeepernet.com", "captchadefence.com", "personalprogrammupdater.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://doc.eagle-web-concept.fr/matin/rend", "https://www.campeggioletizialivigno.it/", "https://superboomer.world/", "https://merkantalolol.asia/", "https://centrodeinfusaocuritiba.com.br/connatural/shortsighted", "https://demo.alkhateeb.ae/yachted/sibling/", "https://chsaleem.com/", "https://priestsassembly.org/", "https://bearsheartstudios.com/", "https://thungracbinhduong.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using wsusoffline or Windows Update
Filter/Exclusion: Exclude IOCs related to wsusoffline, wuapi, or Windows Update services during scheduled maintenance windows.
Scenario: Legitimate administrative task using PowerShell to generate temporary files
Filter/Exclusion: Exclude IOCs involving PowerShell scripts executed via schtasks or Task Scheduler with known administrative tools like PSExec or PSTools.
Scenario: Backup or synchronization process using rsync or robocopy
Filter/Exclusion: Exclude IOCs related to rsync, robocopy, or SyncToy during backup windows or scheduled sync jobs.
Scenario: Log collection or monitoring tool like Splunk or ELK Stack
Filter/Exclusion: Exclude IOCs associated with Splunk, logstash, filebeat, or kibana processes used for log aggregation and monitoring.
Scenario: Security tool or SIEM integration like Microsoft Defender for Endpoint or CrowdStrike
Filter/Exclusion: Exclude IOCs related to Microsoft Defender, CrowdStrike Falcon, or SentinelOne during routine threat intelligence updates or signature database synchronization.