The ThreatFox: Unknown Loader IOCs rule detects potential adversary activity involving an unknown loader, which may be used to execute malicious payloads or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown Loader Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | sparkrub.xyz | botnet_cc | 2026-05-24 | 100% |
| domain | jeansporter.xyz | botnet_cc | 2026-05-24 | 100% |
| domain | shoesearthquake.xyz | botnet_cc | 2026-05-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Loader
let malicious_domains = dynamic(["sparkrub.xyz", "jeansporter.xyz", "shoesearthquake.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses a known tool like PowerShell or Task Scheduler to perform system updates or maintenance.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or processes with CommandLine containing schtasks.exe or powershell.exe -Command.
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like Process Explorer or Process Monitor to investigate system behavior, which may trigger IOCs related to process enumeration.
Filter/Exclusion: Exclude processes with ImageFileName matching procexp.exe, procmon.exe, or Process Explorer.exe.
Scenario: Log Collection and Analysis Job
Description: A security team runs a log analysis job using tools like LogParser or ELK Stack that may inadvertently trigger IOCs due to file access or command-line arguments.
Filter/Exclusion: Exclude processes with ImageFileName matching logparser.exe, java.exe (for ELK), or node.exe (for custom scripts).
Scenario: Software Deployment via SCCM
Description: A Software Center or SCCM (System Center Configuration Manager) deployment package may use a loader or script that matches the IOC signature due to similar execution patterns.
Filter/Exclusion: Exclude processes with ParentProcessName matching smsts.exe or ccmexec.exe, or CommandLine containing sccm or Configuration Manager.
Scenario: Third-Party Compliance Tool Execution
Description: A third-party compliance or audit tool, such as Splunk or IBM QRadar, may execute scripts or use libraries that resemble malicious loader behavior.
Filter/Exclusion: Exclude processes with ImageFileName