The ThreatFox: Unknown Stealer IOCs rule detects potential adversary activity associated with a previously unknown stealer malware, leveraging suspicious network and system behaviors indicative of data exfiltration and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 20 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://buyaneli876-oss.github.io/glowing-spork/connect.html | payload_delivery | 2026-05-24 | 75% |
| url | hxxps://sites.google.com/view/onemacx | payload_delivery | 2026-05-24 | 75% |
| url | hxxps://orbitstride7.com/curl/9cf6cd30496f706484dfb381ad7ce3d75b55643fc4be360bc7f4a5d68d870b1e | payload_delivery | 2026-05-24 | 75% |
| domain | clavdiyaivanon.com | payload_delivery | 2026-05-24 | 75% |
| url | hxxps://sites.google.com/view/clavdenbewvews | payload_delivery | 2026-05-24 | 75% |
| url | hxxps://clavdiyaivanon.com/ | payload_delivery | 2026-05-24 | 75% |
| url | hxxps://cedar-satin.com/curl/1ecc9cc2abe02ee32f98fa922913df6566c81ec9b9da7a9f90fa25c9984cb2ee | payload_delivery | 2026-05-24 | 75% |
| url | hxxps://sites.google.com/view/clau-deskt-ver-24 | payload_delivery | 2026-05-24 | 75% |
| url | hxxps://cybervertex38.com/ | payload_delivery | 2026-05-24 | 75% |
| domain | breinsmas.com | payload_delivery | 2026-05-24 | 75% |
| domain | vacationrentalvirginia.com | payload_delivery | 2026-05-24 | 75% |
| url | hxxp://vacationrentalvirginia.com/curl/5b7250991558c1089d217b180d9418df77886996c22f8f319d7f640895e03381 | payload_delivery | 2026-05-24 | 75% |
| domain | orbitstride7.com | payload_delivery | 2026-05-24 | 100% |
| url | hxxps://breinsmas.com/ | payload_delivery | 2026-05-24 | 75% |
| url | hxxps://sites.google.com/view/xbreshamewmew | payload_delivery | 2026-05-24 | 75% |
| url | hxxps://sites.google.com/view/clodemacx | payload_delivery | 2026-05-24 | 100% |
| url | hxxps://buyaneli876-oss.github.io/probable-adventure/connect.html | payload_delivery | 2026-05-24 | 100% |
| domain | homeinspectionnaperville.com | payload_delivery | 2026-05-24 | 100% |
| domain | api-metrics-6258.com | payload_delivery | 2026-05-24 | 100% |
| url | hxxps://sites.google.com/view/mellerbrew | payload_delivery | 2026-05-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["clavdiyaivanon.com", "breinsmas.com", "vacationrentalvirginia.com", "orbitstride7.com", "homeinspectionnaperville.com", "api-metrics-6258.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["https://buyaneli876-oss.github.io/glowing-spork/connect.html", "https://sites.google.com/view/onemacx", "https://orbitstride7.com/curl/9cf6cd30496f706484dfb381ad7ce3d75b55643fc4be360bc7f4a5d68d870b1e", "https://sites.google.com/view/clavdenbewvews", "https://clavdiyaivanon.com/", "https://cedar-satin.com/curl/1ecc9cc2abe02ee32f98fa922913df6566c81ec9b9da7a9f90fa25c9984cb2ee", "https://sites.google.com/view/clau-deskt-ver-24", "https://cybervertex38.com/", "http://vacationrentalvirginia.com/curl/5b7250991558c1089d217b180d9418df77886996c22f8f319d7f640895e03381", "https://breinsmas.com/", "https://sites.google.com/view/xbreshamewmew", "https://sites.google.com/view/clodemacx", "https://buyaneli876-oss.github.io/probable-adventure/connect.html", "https://sites.google.com/view/mellerbrew"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Monitoring
Description: A scheduled task runs a script to collect system metrics using a tool like PsExec or PowerShell for monitoring purposes.
Filter/Exclusion: Exclude processes initiated by the Windows Task Scheduler with a known legitimate script path, e.g., C:\Windows\System32\Tasks\ or C:\Program Files\MonitoringTool\.
Scenario: Admin Performing Disk Cleanup Using PowerShell
Description: An administrator uses PowerShell to clean up temporary files or logs, which may involve IOCs like cleanmgr.exe or del commands.
Filter/Exclusion: Exclude processes with the PowerShell.exe executable and command-line arguments containing clean, delete, or remove in a known admin context.
Scenario: Regular System Update or Patching Process
Description: A system update or patching process may involve downloading files from Microsoft or other trusted sources, which could be flagged as unknown IOCs.
Filter/Exclusion: Exclude IP addresses or domains associated with Microsoft Update (update.microsoft.com) or known enterprise patch management servers.
Scenario: Legitimate Use of Cobalt Strike Beacon for Red Team Exercise
Description: A red team exercise uses Cobalt Strike Beacon to simulate a compromise, which may trigger IOCs associated with malicious activity.
Filter/Exclusion: Exclude processes with the beacon.exe executable and a known red team IP range or domain used during authorized exercises.
Scenario: User-Initiated File Transfer via FTP or SFTP
Description: A user transfers files using an FTP or SFTP client, which may involve IOCs like ftp.exe or sftp.exe that could be flagged as suspicious.
Filter/Exclusion: Exclude processes initiated from known user home directories or