The ThreatFox: Unknown Loader IOCs rule detects potential adversary activity involving an unknown loader, which is commonly used to execute malicious payloads and evade traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may be leveraging unknown loaders to compromise their environment.
IOC Summary
Malware Family: Unknown Loader Total IOCs: 25 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | spadedevelopment.info | botnet_cc | 2026-04-20 | 100% |
| url | hxxps://6p1anuri2[.]6xkmet.cc/DklzrHrb2m043ko5d87o85dt6/ldtkqtglibsfudt | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://htijv[.]66uc4x.cc/D6omfH97p50pldw5lf158ug81/dbqobfyasmyhnpfbvm | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://pdmh48ixc[.]6oxj9t.cc/D49wjHdt530afog5sebu8chz7/uuaeljxnxqxd | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://4qztty[.]66uc4x.cc/D6bfqH2bso0o71854a2v8hsyd/fpeixmdqwpipvcrhkha | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://gzcawbchv[.]6i8htz.cc/Dyag6H52kn0jiyd56rm38jh3w/fphpxarswycspg | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://j7m5m4k[.]627x9a.cc/DjripHf63d095on5i3rb8vr3p/xfxmyhapjjabpnvd | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://3jkqc5j[.]69mcg8.cc/D2l9tH2y6e0udga5q19m89thu/gfnqvlbndlmbmhjcex | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://70csneb2[.]6bqbxr.cc/Da7u8Halrm0emvf5p2rb8vpj4/fjvoqwttejoxdgjksbd | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://i6k[.]6p2s8s.cc/D4nh6Hzxug0uvec5u4py8kit6/ehenfxlyvhuj | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://bwib[.]6cvjua.cc/Due43Hs6z50r5su5jf1t88e9b/vtlqavffvirkh | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://rqharrrm[.]6np5ya.cc/DvbkeHjsj307qwg5odb48qjzp/cenmhueskkouuux | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://rlii7whf[.]6ifhpj.cc/DrhksHggnu0o1xk54djf8qek8/wcqdmexhavnic | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://ihsh[.]6w9ryj.cc/Dtv7xHxz420gwla55xrv879jp/uchuiivtytrwsvnva | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://7axdz[.]6xkmet.cc/DzkyiHs58r0ok8f5wod58ppaw/dojjndefphyampydabp | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://8g7ggpsha[.]6i8htz.cc/Dy186Hlvhp021jk5krre8jqf3/esynmlvsoxsbq | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://xuu4nhf[.]6ifhpj.cc/DfhawHfirf0gun75s2ix8t7me/nmochieyhcgdoweg | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://daxiwbq[.]6np5ya.cc/Dfyj3He9i30dnf65fkc68ism3/pxycsirihirh | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://8h0o58b[.]6i2inr.cc/DhjvzHaff60clgv5viop8dryi/xjlsmekcqgdrni | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://ub0io4[.]6hayo1.cc/DzovgHmxyw03d1j5d3498wov7/vhadqagyqndxv | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://h34l[.]627x9a.cc/Dyno6Hwdnx0fdz15y4d283x5c/wyaitrrgxlrddrgw | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://nq82x0a[.]69mcg8.cc/Daid9H57z60z6lm5ajkp83cjq/swknnpwogege | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://4e7[.]6vxere.cc/DitmyHwkoq0cauv5qx8l8kike/vjeuyfynrts | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://3dty0o[.]6c8v35.cc/DwatoH1fih0rpng5xaf68vzeg/dvmoeiohmnbxvkpqj | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://bbbge.imjckeee.com/ffapk/2bl6eu | payload_delivery | 2026-04-20 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Loader
let malicious_domains = dynamic(["spadedevelopment.info"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Loader
let malicious_urls = dynamic(["https://6p1anuri2.6xkmet.cc/DklzrHrb2m043ko5d87o85dt6/ldtkqtglibsfudt", "https://htijv.66uc4x.cc/D6omfH97p50pldw5lf158ug81/dbqobfyasmyhnpfbvm", "https://pdmh48ixc.6oxj9t.cc/D49wjHdt530afog5sebu8chz7/uuaeljxnxqxd", "https://4qztty.66uc4x.cc/D6bfqH2bso0o71854a2v8hsyd/fpeixmdqwpipvcrhkha", "https://gzcawbchv.6i8htz.cc/Dyag6H52kn0jiyd56rm38jh3w/fphpxarswycspg", "https://j7m5m4k.627x9a.cc/DjripHf63d095on5i3rb8vr3p/xfxmyhapjjabpnvd", "https://3jkqc5j.69mcg8.cc/D2l9tH2y6e0udga5q19m89thu/gfnqvlbndlmbmhjcex", "https://70csneb2.6bqbxr.cc/Da7u8Halrm0emvf5p2rb8vpj4/fjvoqwttejoxdgjksbd", "https://i6k.6p2s8s.cc/D4nh6Hzxug0uvec5u4py8kit6/ehenfxlyvhuj", "https://bwib.6cvjua.cc/Due43Hs6z50r5su5jf1t88e9b/vtlqavffvirkh", "https://rqharrrm.6np5ya.cc/DvbkeHjsj307qwg5odb48qjzp/cenmhueskkouuux", "https://rlii7whf.6ifhpj.cc/DrhksHggnu0o1xk54djf8qek8/wcqdmexhavnic", "https://ihsh.6w9ryj.cc/Dtv7xHxz420gwla55xrv879jp/uchuiivtytrwsvnva", "https://7axdz.6xkmet.cc/DzkyiHs58r0ok8f5wod58ppaw/dojjndefphyampydabp", "https://8g7ggpsha.6i8htz.cc/Dy186Hlvhp021jk5krre8jqf3/esynmlvsoxsbq", "https://xuu4nhf.6ifhpj.cc/DfhawHfirf0gun75s2ix8t7me/nmochieyhcgdoweg", "https://daxiwbq.6np5ya.cc/Dfyj3He9i30dnf65fkc68ism3/pxycsirihirh", "https://8h0o58b.6i2inr.cc/DhjvzHaff60clgv5viop8dryi/xjlsmekcqgdrni", "https://ub0io4.6hayo1.cc/DzovgHmxyw03d1j5d3498wov7/vhadqagyqndxv", "https://h34l.627x9a.cc/Dyno6Hwdnx0fdz15y4d283x5c/wyaitrrgxlrddrgw", "https://nq82x0a.69mcg8.cc/Daid9H57z60z6lm5ajkp83cjq/swknnpwogege", "https://4e7.6vxere.cc/DitmyHwkoq0cauv5qx8l8kike/vjeuyfynrts", "https://3dty0o.6c8v35.cc/DwatoH1fih0rpng5xaf68vzeg/dvmoeiohmnbxvkpqj", "https://bbbge.imjckeee.com/ffapk/2bl6eu"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that downloads a file from a known internal repository, which coincidentally matches one of the IOCs in the ThreatFox list.
Filter/Exclusion: Exclude files downloaded from internal IP ranges (e.g., src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16))
Scenario: Software Update via Microsoft Intune
Description: A company uses Microsoft Intune to deploy updates, and one of the update packages matches an IOC from the ThreatFox list.
Filter/Exclusion: Exclude files signed by Microsoft or associated with known update mechanisms (e.g., file_name LIKE '%update%' OR file_name LIKE '%patch%')
Scenario: Admin Task Using PowerShell for Log Collection
Description: An admin uses PowerShell to collect logs from multiple servers, and the script includes a file path that matches an IOC.
Filter/Exclusion: Exclude processes running under the Administrators group or with user_account = 'SYSTEM' and process_name = 'powershell.exe'
Scenario: Backup Job Using Veeam
Description: A Veeam backup job temporarily writes to a directory that is flagged as an IOC due to its structure or naming.
Filter/Exclusion: Exclude files or processes associated with Veeam backup operations (e.g., process_name LIKE '%veeam%' or file_name LIKE '%backup%')
Scenario: Internal Threat Intelligence Feed Integration
Description: The enterprise uses an internal threat intelligence feed that is periodically updated, and one of the entries matches an IOC from ThreatFox.
*Filter/Ex