The ThreatFox: Unknown Stealer IOCs rule detects potential adversary activity associated with a previously unknown stealer malware, likely used for exfiltrating sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by an unknown threat actor leveraging stealthy, undetected IOCs.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 4 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | frostuploadv2.com | botnet_cc | 2026-04-21 | 100% |
| domain | y5jcpyt1f2rgh0ig.frostapiv2.com | botnet_cc | 2026-04-21 | 100% |
| domain | nxt8q5ekqgcimpwx.frostapiv2.com | botnet_cc | 2026-04-21 | 100% |
| domain | downex.frostapiv2.com | botnet_cc | 2026-04-21 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["frostuploadv2.com", "y5jcpyt1f2rgh0ig.frostapiv2.com", "nxt8q5ekqgcimpwx.frostapiv2.com", "downex.frostapiv2.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a legitimate package that matches one of the IOCs.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a script that uses a tool like logparser.exe or PowerShell to collect logs, which may match the IOC pattern.
Filter/Exclusion: process.name != "logparser.exe" or process.name != "powershell.exe" with a custom command_line filter
Scenario: Admin Task Using PsExec for Remote Management
Description: An administrator uses PsExec to run a remote command, which may trigger the IOC due to the tool’s presence.
Filter/Exclusion: process.name != "psexec.exe" or process.parent.name != "psexec.exe"
Scenario: Legitimate Use of WMI Query Tool
Description: A WMI query tool like wbemtest.exe is used for system monitoring and may match an IOC.
Filter/Exclusion: process.name != "wbemtest.exe" or process.parent.name != "wbemtest.exe"
Scenario: Regular Use of PowerShell for Scripting
Description: A PowerShell script is executed as part of routine automation, which may contain strings that match the IOC.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "powershell.exe" with a command_line filter to exclude known scripts or paths.