ThreatFox: Unknown Loader IOCs detects potential adversary use of unknown malicious loaders to execute payloads and establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threat activity that may evade traditional detection methods.
IOC Summary
Malware Family: Unknown Loader Total IOCs: 6 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://wei8htunconq.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://a4lp.tov4mixel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://clipvale.dex9taren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://spark0-mesh.nuv2moren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://gzvsfzls.vym7lixar.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://3qui-crest.tav4sorel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google | payload_delivery | 2026-04-18 | 90% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Loader
let malicious_urls = dynamic(["http://wei8htunconq.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google", "https://a4lp.tov4mixel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google", "https://clipvale.dex9taren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google", "https://spark0-mesh.nuv2moren.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google", "https://gzvsfzls.vym7lixar.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google", "https://3qui-crest.tav4sorel.in.net/05fe317c-0981-4de2-bc8a-930d369db441/ck-3d80df5d12cdfe6450a782fc87bf66b444.google"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses a known malicious-looking command or file path as part of a maintenance routine (e.g., pslist or handle from Sysinternals).
Filter/Exclusion: Exclude processes associated with the Windows Task Scheduler and files located in the C:\Windows\System32 directory.
Scenario: Admin Using Process Explorer to Analyze Processes
Description: A system administrator uses Process Explorer (from Sysinternals) to inspect running processes, which may trigger the rule due to the use of pslist or similar commands.
Filter/Exclusion: Exclude processes with the parent process being explorer.exe or taskmgr.exe, and filter out commands related to Process Explorer.
Scenario: Running a Known Security Tool for Forensics
Description: A security analyst runs a legitimate forensic tool like Process Hacker or Wireshark that may interact with system processes in a way that resembles a loader.
Filter/Exclusion: Exclude processes associated with security tools like ProcessHacker.exe, Wireshark.exe, or Procmon.exe.
Scenario: Automated Log Collection Job
Description: A scheduled job runs a script to collect logs using tools like logparser or PowerShell to gather system event logs, which may trigger the rule due to command-line arguments.
Filter/Exclusion: Exclude processes initiated by the schtasks.exe or Task Scheduler service, and filter out commands related to log collection tools.
Scenario: Using a Known Malware Analysis Tool
Description: A malware analyst uses a sandboxed environment or analysis tool like Cuckoo Sandbox or Joe Sandbox, which may generate IOCs that match the rule.
*