The ThreatFox: Unknown Stealer IOCs rule detects potential indicators of compromise associated with a previously unknown stealer malware, which may be used to exfiltrate sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity before significant data loss occurs.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 8 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | sekirolegion.duckdns.org | botnet_cc | 2026-06-14 | 100% |
| domain | ptlegion.duckdns.org | botnet_cc | 2026-06-14 | 100% |
| url | hxxp://sekirolegion.duckdns.org/api/endpoint.php | botnet_cc | 2026-06-14 | 100% |
| url | hxxp://ptlegion.duckdns.org/api/endpoint.php | botnet_cc | 2026-06-14 | 100% |
| url | hxxp://silentlegion.duckdns.org/gate/update.php | botnet_cc | 2026-06-14 | 100% |
| url | hxxp://silentlegion.duckdns.org/gate/config.php | botnet_cc | 2026-06-14 | 100% |
| url | hxxp://silentlegion.duckdns.org/gate/create.php | botnet_cc | 2026-06-14 | 100% |
| url | hxxp://silentlegion.duckdns.org/gate/connection.php | botnet_cc | 2026-06-14 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["sekirolegion.duckdns.org", "ptlegion.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["http://sekirolegion.duckdns.org/api/endpoint.php", "http://ptlegion.duckdns.org/api/endpoint.php", "http://silentlegion.duckdns.org/gate/update.php", "http://silentlegion.duckdns.org/gate/config.php", "http://silentlegion.duckdns.org/gate/create.php", "http://silentlegion.duckdns.org/gate/connection.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOCs due to its file name or path.
Filter/Exclusion: process.name != "schtasks.exe" OR file.path != "C:\Windows\System32\schedtasks.exe"
Scenario: Admin Performing Log Collection via PowerShell
Description: An admin is using PowerShell to collect logs, and the script name or command matches the IOC pattern.
Filter/Exclusion: process.name != "powershell.exe" OR process.args != "Get-EventLog"
Scenario: Automated Backup Job Using a Known Tool
Description: A backup tool like Veeam or Acronis is executing a backup job, and its executable or command line matches the IOC.
Filter/Exclusion: file.name != "veeam.exe" OR process.name != "AcronisBackup.exe"
Scenario: User Running a Legitimate Script for System Monitoring
Description: A user is running a script (e.g., PsExec, Task Scheduler, or PowerShell) for system monitoring that matches the IOC.
Filter/Exclusion: process.name != "PsExec.exe" OR process.args != " -s -i"
Scenario: Legitimate Software Installation via MSI or EXE
Description: A legitimate software installer (e.g., Microsoft Office, Adobe Reader) is being executed, and its file path or name matches the IOC.
Filter/Exclusion: file.name != "setup.exe" OR file.name != "msiexec.exe"