The ThreatFox: Unknown Stealer IOCs rule detects potential reconnaissance and data exfiltration activities associated with a previously unknown stealer malware, leveraging suspicious network connections and file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by an advanced threat actor targeting sensitive data.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 11 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | purematrixa.com | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://sites.google.com/newappclaude.com/clau-ver-un-30 | payload_delivery | 2026-06-01 | 100% |
| url | hxxps://turbowave45.com/ | payload_delivery | 2026-06-01 | 100% |
| url | hxxps://purematrixa.com/1751517 | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://anvil-89.com/curl/b2ebd894810ccc6df1fccbceeaf09f5c9be6dbf3f8386c915b26e78c28ac3563 | botnet_cc | 2026-06-01 | 100% |
| domain | wiseview58.com | payload_delivery | 2026-06-01 | 100% |
| domain | anvil-89.com | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://sites.google.com/newpayservices.com/cdx-biz-ver-un-v27 | payload_delivery | 2026-06-01 | 100% |
| url | hxxps://wiseview58.com/hjpjsp2/ | payload_delivery | 2026-06-01 | 100% |
| url | hxxps://anvil-89.com/curl/db7bd4c559aa3fb93d63739f16264aae68c911adc95b9f97cc7529c52fd15a87 | botnet_cc | 2026-06-01 | 100% |
| domain | iloveblondegirl.top | botnet_cc | 2026-06-01 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["purematrixa.com", "wiseview58.com", "anvil-89.com", "iloveblondegirl.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["https://sites.google.com/newappclaude.com/clau-ver-un-30", "https://turbowave45.com/", "https://purematrixa.com/1751517", "https://anvil-89.com/curl/b2ebd894810ccc6df1fccbceeaf09f5c9be6dbf3f8386c915b26e78c28ac3563", "https://sites.google.com/newpayservices.com/cdx-biz-ver-un-v27", "https://wiseview58.com/hjpjsp2/", "https://anvil-89.com/curl/db7bd4c559aa3fb93d63739f16264aae68c911adc95b9f97cc7529c52fd15a87"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate software update, which includes a script that matches one of the IOCs.
Filter/Exclusion: process.name != "choco.exe" OR process.parent.name != "choco.exe"
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task runs a script to rotate and archive logs, which inadvertently matches an IOC due to similar file names or paths.
Filter/Exclusion: file.path != "C:\\Windows\\System32\\logrotate.exe" OR process.name != "logrotate.exe"
Scenario: Admin Task for User Management
Description: An admin uses PowerShell to manage user accounts, and the script includes a command that matches an IOC due to similar syntax.
Filter/Exclusion: process.name != "powershell.exe" OR user.name != "Administrator"
Scenario: Legitimate Third-Party Tool Execution
Description: A legitimate third-party tool (e.g., 7-Zip, WinRAR) is executed, and one of its components matches an IOC due to shared strings.
Filter/Exclusion: process.name != "7z.exe" OR process.name != "WinRAR.exe"
Scenario: Malware Analysis Environment Testing
Description: A security analyst is testing a benign file in a sandboxed environment, and the file contains strings that match the IOC due to false positives.
Filter/Exclusion: process.parent.name != "sandbox.exe" OR process.parent.name != "vmtoolsd.exe"