The ThreatFox: Unknown Stealer IOCs rule detects potential adversary activity associated with a previously unidentified stealer malware, likely used for exfiltrating sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before data is exfiltrated or further damage occurs.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 9 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://uih9ehfbhdbfqudbfidfcikqhnegf.pages.dev | payload_delivery | 2026-04-20 | 100% |
| domain | uih9ehfbhdbfqudbfidfcikqhnegf.pages.dev | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://download.get-version.com/claude | payload_delivery | 2026-04-20 | 100% |
| domain | download.get-version.com | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://arkypc.com/n8n/update | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://arkypc.com/curl/c46084d53f2256206cd2695ec998a98418969f278381b1f0cc848f21815ec543 | payload_delivery | 2026-04-20 | 100% |
| domain | arkypc.com | payload_delivery | 2026-04-20 | 100% |
| url | hxxps://claud-new-tools591.pages.dev | payload_delivery | 2026-04-20 | 100% |
| domain | claud-new-tools591.pages.dev | payload_delivery | 2026-04-20 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["uih9ehfbhdbfqudbfidfcikqhnegf.pages.dev", "download.get-version.com", "arkypc.com", "claud-new-tools591.pages.dev"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["https://uih9ehfbhdbfqudbfidfcikqhnegf.pages.dev", "https://download.get-version.com/claude", "https://arkypc.com/n8n/update", "https://arkypc.com/curl/c46084d53f2256206cd2695ec998a98418969f278381b1f0cc848f21815ec543", "https://claud-new-tools591.pages.dev"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using psutil for system monitoring
Filter/Exclusion: Exclude processes where the command line includes psutil and the process is associated with a known monitoring tool (e.g., nagios, zabbix, or datadog).
Scenario: Admin task using subprocess to run a legitimate script
Filter/Exclusion: Exclude processes where the command line contains subprocess and the script path is within a known admin directory (e.g., /opt/scripts/ or /usr/local/bin/).
Scenario: Development environment using requests to interact with an internal API
Filter/Exclusion: Exclude processes where the command line includes requests and the target URL is within the internal domain (e.g., http://api.internal.company.com).
Scenario: System update using apt or yum with custom scripts
Filter/Exclusion: Exclude processes where the command line includes apt or yum and the process is initiated by a known update manager (e.g., unattended-upgrades or yum-cron).
Scenario: Log analysis using grep with a custom regex pattern
Filter/Exclusion: Exclude processes where the command line includes grep and the regex pattern is associated with a known log analysis tool (e.g., logstash, splunk, or ELK stack).