Adversaries may be using unknown stealer malware to exfiltrate sensitive data by leveraging compromised credentials and network access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches early.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | bloxstealer.xyz | botnet_cc | 2026-06-04 | 100% |
| domain | update.bloxstealer.xyz | botnet_cc | 2026-06-04 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["bloxstealer.xyz", "update.bloxstealer.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using Known Stealer Tools
Description: A scheduled job runs a legitimate system maintenance script that uses a known stealer tool (e.g., Cron job using PowerShell to execute a benign script).
Filter/Exclusion: Exclude processes initiated by cron or at jobs, or filter by command-line arguments containing --scheduled or --job.
Scenario: Admin Task Involving File Copying
Description: An administrator is copying files between servers using a script that includes a known stealer tool (e.g., scp with a custom script that mimics malicious behavior).
Filter/Exclusion: Exclude processes initiated by root or admin users, or filter by command-line arguments containing --copy, --backup, or --sync.
Scenario: Legitimate Use of PowerShell for System Monitoring
Description: A system monitoring tool (e.g., PowerShell script from SolarWinds or PRTG) uses a known stealer tool (e.g., Invoke-WebRequest) to fetch updates or configuration files.
Filter/Exclusion: Exclude processes with PowerShell scripts from known vendors or filter by command-line arguments containing --update, --config, or --fetch.
Scenario: Malware Analysis Lab Environment
Description: A malware analysis lab is testing a known stealer (e.g., Cobalt Strike) in a controlled environment, triggering the rule due to the presence of the tool.
Filter/Exclusion: Exclude processes running in a sandbox or virtual machine, or filter by IP addresses or domains associated with the lab environment.
Scenario: Legitimate Use of Known Stealer for Data Exfiltration (e.g., for Compliance)
Description: A