The ThreatFox: Unknown Loader IOCs rule detects potential adversary activity involving an unknown loader, which may be used to execute malicious payloads or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown Loader Total IOCs: 5 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | haoriskdk839ska.com | payload_delivery | 2026-06-13 | 100% |
| domain | hatksaks281ksa.com | payload_delivery | 2026-06-13 | 100% |
| domain | photo-27857.cfd | payload_delivery | 2026-06-13 | 100% |
| domain | photo-37857.cfd | payload_delivery | 2026-06-13 | 100% |
| domain | photo-47857.cfd | payload_delivery | 2026-06-13 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Loader
let malicious_domains = dynamic(["haoriskdk839ska.com", "hatksaks281ksa.com", "photo-27857.cfd", "photo-37857.cfd", "photo-47857.cfd"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system maintenance using schtasks.exe to run a legitimate cleanup script
Filter/Exclusion: Check for CommandLine containing schtasks.exe /create /tn "Cleanup" /tr "C:\Windows\System32\cleanmgr.exe" /sc daily /st 23
Scenario: Running a legitimate network discovery tool like nmap for internal network mapping
Filter/Exclusion: Filter by ProcessName containing nmap.exe and check for DestinationIP within the internal subnet (e.g., 10.0.0.0/8)
Scenario: Using PowerShell to automate administrative tasks such as user account management
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine containing -Command with known administrative scripts (e.g., Get-ADUser)
Scenario: Executing a legitimate backup job using Veeam Backup & Replication
Filter/Exclusion: Check for ProcessName containing veeam.exe and verify CommandLine includes backup-related parameters (e.g., --backup)
Scenario: Running a security tool like Malwarebytes for scheduled scans
Filter/Exclusion: Filter by ProcessName containing mbam.exe or mbamsw.exe and check for CommandLine indicating a scheduled scan task (e.g., --scan)