The Berbew threat group is leveraging known IOCs to establish initial access and exfiltrate data, indicating potential compromise of Azure environments. SOC teams should proactively hunt for these IOCs to identify and mitigate early-stage adversarial activity before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: Berbew Total IOCs: 10 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://kidos-bank.ru/index.htm | botnet_cc | 2026-06-09 | 100% |
| url | hxxp://kaspersky.ru/index.htm | botnet_cc | 2026-06-09 | 100% |
| url | hxxp://parex-bank.ru/index.htm | botnet_cc | 2026-06-09 | 100% |
| url | hxxp://gaz-prom.ru/index.htm | botnet_cc | 2026-06-09 | 100% |
| url | hxxp://color-bank.ru/index.php | botnet_cc | 2026-06-09 | 100% |
| url | hxxp://adult-empire.com/index.php | botnet_cc | 2026-06-09 | 100% |
| url | hxxp://virus-list.com/index.php | botnet_cc | 2026-06-09 | 100% |
| url | hxxp://kaspersky.ru/index.php | botnet_cc | 2026-06-09 | 100% |
| url | hxxp://ros-neftbank.ru/index.php | botnet_cc | 2026-06-09 | 100% |
| url | hxxp://master-x.com/index.php | botnet_cc | 2026-06-09 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Berbew
let malicious_urls = dynamic(["http://kidos-bank.ru/index.htm", "http://kaspersky.ru/index.htm", "http://parex-bank.ru/index.htm", "http://gaz-prom.ru/index.htm", "http://color-bank.ru/index.php", "http://adult-empire.com/index.php", "http://virus-list.com/index.php", "http://kaspersky.ru/index.php", "http://ros-neftbank.ru/index.php", "http://master-x.com/index.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that imports a CSV file containing benign IP addresses for network monitoring.
Filter/Exclusion: Exclude any activity involving Import-Csv or Invoke-Command with file paths in known internal directories (e.g., C:\Windows\System32\, C:\ProgramData\).
Scenario: A security analyst is using Wireshark to capture and analyze network traffic for a penetration test, which includes traffic to known malicious domains associated with Berbew.
Filter/Exclusion: Exclude traffic originating from or destined to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or traffic involving known test environments.
Scenario: A DevOps team is using Ansible to deploy configuration files to multiple servers, and one of the files contains a benign IP address that matches a Berbew IOC.
Filter/Exclusion: Exclude any activity involving ansible-playbook or ansible commands with file paths in the roles/ or templates/ directories of Ansible playbooks.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to run a query that retrieves data from a table containing an IP address that matches a Berbew IOC.
Filter/Exclusion: Exclude any SQL queries executed against internal databases (e.g., master, model, msdb) or queries that include known internal IP ranges in the WHERE clause.
Scenario: A system is running a Windows Task Scheduler job that periodically checks for system updates, and the update metadata includes a benign IP address that matches a Berbew IOC.
**Filter/