The ThreatFox: Unknown Stealer IOCs rule detects potential adversary activity involving the exfiltration of sensitive data through unknown malware leveraging compromised credentials and network resources. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by an unknown stealer before significant data loss occurs.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 5 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | webflare.beer | botnet_cc | 2026-06-09 | 100% |
| domain | berlof.shop | botnet_cc | 2026-06-09 | 100% |
| domain | firazit.com | botnet_cc | 2026-06-09 | 100% |
| domain | macerapindasi.com | botnet_cc | 2026-06-09 | 100% |
| domain | servupdt.com | botnet_cc | 2026-06-09 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["webflare.beer", "berlof.shop", "firazit.com", "macerapindasi.com", "servupdt.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a legitimate script for system inventory, which includes downloading a file from a known internal repository.
Filter/Exclusion: Exclude files downloaded from internal IP ranges (e.g., src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)).
Scenario: A scheduled job runs Task Scheduler to perform a database backup using a legitimate third-party tool like Veeam or Commvault, which may include network traffic resembling malicious IOCs.
Filter/Exclusion: Exclude traffic associated with known backup tools (e.g., process_name = "VeeamBackup.exe" or process_name = "CommVault.exe").
Scenario: An IT team is performing a Windows Update or Group Policy deployment using WSUS, which may involve downloading files that match the IOCs of the Unknown Stealer.
Filter/Exclusion: Exclude files downloaded from WSUS servers (e.g., dest_ip = "10.10.10.10" or process_name = "wuauclt.exe").
Scenario: A developer is using Git to clone a repository that includes a file with a suspicious name, such as stealer.exe, which is actually a benign test file.
Filter/Exclusion: Exclude files with known benign names in development environments (e.g., file_name = "stealer.exe" AND process_name = "git.exe").
Scenario: A system is running a remote PowerShell session for administrative tasks, such as patching or configuration management, which may involve connecting to a legitimate management server.
Filter/Exclusion: Exclude connections