Adversaries may be using unknown stealer malware to exfiltrate sensitive data by leveraging compromised credentials and network access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches before they escalate.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 3 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://pewweepor092.com/api/debug/event | payload_delivery | 2026-04-18 | 90% |
| domain | pewweepor092.com | payload_delivery | 2026-04-18 | 90% |
| url | hxxps://pewweepor092.com/debug/payload.applescript | payload_delivery | 2026-04-18 | 90% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["pewweepor092.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["https://pewweepor092.com/api/debug/event", "https://pewweepor092.com/debug/payload.applescript"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Maintenance
Description: A scheduled task runs a script that downloads a known benign tool (e.g., choco or scoop) for package management.
Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler and files signed by Microsoft or trusted package managers.
Scenario: Admin Performing System Inventory with PowerShell
Description: An admin uses PowerShell to gather system information, which may involve downloading a tool like PowerShell or WMIC to collect data.
Filter/Exclusion: Exclude processes initiated by powershell.exe with elevated privileges and files signed by Microsoft or known admin tools.
Scenario: Deployment of a Known Security Tool via ThreatFox
Description: A security tool (e.g., Maltego, ThreatConnect, or OSINT tools) is being deployed via a script or configuration file, which is mistakenly flagged as a stealer.
Filter/Exclusion: Exclude files or processes associated with known security tools and verify the file’s digital signature or source.
Scenario: User-Initiated Download of a Legitimate Software Update
Description: A user downloads a software update (e.g., Adobe Acrobat, Java, or Microsoft Office) from a trusted source, which is flagged due to a false positive in ThreatFox.
Filter/Exclusion: Exclude files from known vendors and domains, and use file hashes or digital signatures to validate legitimacy.
Scenario: Network Monitoring Tool Collecting Traffic Data
Description: A network monitoring tool (e.g., Wireshark, tcpdump, or Microsoft Network Monitor) is running and capturing traffic, which may be flagged as suspicious activity.
Filter/Exclusion: Exclude processes associated with network monitoring tools and filter