The ThreatFox: Unknown Stealer IOCs rule detects potential adversary activity associated with a previously unidentified stealer malware, leveraging known malicious indicators to identify compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before they escalate and exfiltrate sensitive data.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 68 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | robodomain.sbs | botnet_cc | 2026-06-08 | 100% |
| domain | sirata.asia | botnet_cc | 2026-06-08 | 100% |
| domain | sitepromclop.click | botnet_cc | 2026-06-08 | 100% |
| domain | smackit.lat | botnet_cc | 2026-06-08 | 100% |
| domain | smesharik.bond | botnet_cc | 2026-06-08 | 100% |
| domain | spartanec.lat | botnet_cc | 2026-06-08 | 100% |
| domain | superpooper.click | botnet_cc | 2026-06-08 | 100% |
| domain | webanalytics-cdn.cfd | botnet_cc | 2026-06-08 | 100% |
| domain | whynotebanarot.xyz | botnet_cc | 2026-06-08 | 100% |
| domain | yanepidor.mom | botnet_cc | 2026-06-08 | 100% |
| domain | yoshicity.xyz | botnet_cc | 2026-06-08 | 100% |
| domain | myverifhouse.sbs | botnet_cc | 2026-06-08 | 100% |
| domain | myverifyblog.sbs | botnet_cc | 2026-06-08 | 100% |
| domain | nenadopapa.cfd | botnet_cc | 2026-06-08 | 100% |
| domain | peachbro.bond | botnet_cc | 2026-06-08 | 100% |
| domain | pinokros.xyz | botnet_cc | 2026-06-08 | 100% |
| domain | pohuimne.lol | botnet_cc | 2026-06-08 | 100% |
| domain | ponikas.cyou | botnet_cc | 2026-06-08 | 100% |
| domain | pringlesbob.cfd | botnet_cc | 2026-06-08 | 100% |
| domain | productionmaza.sbs | botnet_cc | 2026-06-08 | 100% |
| domain | prokladka.lol | botnet_cc | 2026-06-08 | 100% |
| domain | sandman.bond | botnet_cc | 2026-06-08 | 100% |
| domain | sandman.lat | botnet_cc | 2026-06-08 | 100% |
| domain | marmelad.lat | botnet_cc | 2026-06-08 | 100% |
| domain | megamegalodon.click | botnet_cc | 2026-06-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["robodomain.sbs", "sirata.asia", "sitepromclop.click", "smackit.lat", "smesharik.bond", "spartanec.lat", "superpooper.click", "webanalytics-cdn.cfd", "whynotebanarot.xyz", "yanepidor.mom", "yoshicity.xyz", "myverifhouse.sbs", "myverifyblog.sbs", "nenadopapa.cfd", "peachbro.bond", "pinokros.xyz", "pohuimne.lol", "ponikas.cyou", "pringlesbob.cfd", "productionmaza.sbs", "prokladka.lol", "sandman.bond", "sandman.lat", "marmelad.lat", "megamegalodon.click", "merindashop.cyou", "mexicodreams.bond", "microblogver.bond", "microchlen.lat", "microloh.bond", "milksos.cfd", "mnepohui.sbs", "mob.lanjut.in", "myblobtop.site", "mygoodblog.bond", "mygoodblog.cfd", "etomoe.cfd", "etomoidomen.cfd", "ganiballektor.cfd", "gdedengikarlos.cfd", "gdelogi.lol", "govnol.lat", "gppcdnns.beer", "ivangay.bond", "lenders.digital", "lizablud.shop", "mambet.lol", "marinaradom.cfd", "biggestchlen.xyz", "biletors.cfd"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate update, which matches one of the IOCs in the ThreatFox list.
Filter/Exclusion: Check for ProcessName containing “choco” or “Chocolatey” and filter by CommandLine containing “install” or “update”.
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a script to collect logs using a tool like logrotate or rsyslog, which may include IOCs from the ThreatFox list.
Filter/Exclusion: Filter by ProcessName containing “logrotate” or “rsyslog” and check for CommandLine containing “rotate” or “collect”.
Scenario: Admin Task for Software Deployment
Description: An admin uses PowerShell to deploy a legitimate software package, which may include a file path or registry key matching a known IOC.
Filter/Exclusion: Filter by ProcessName containing “powershell.exe” and check for CommandLine containing “Deploy” or “Install”.
Scenario: Legitimate Use of WMI for System Monitoring
Description: A monitoring tool like WMIC is used to gather system information, which may trigger an IOC match due to common command patterns.
Filter/Exclusion: Filter by ProcessName containing “wmic” and check for CommandLine containing “get” or “query”.
Scenario: Antivirus Scan Using ClamAV
Description: A scheduled antivirus scan using ClamAV may trigger an IOC match due to temporary files or processes that resemble malicious activity.
Filter/Exclusion: Filter by ProcessName containing “clamscan” or “freshclam” and check for CommandLine containing “scan