The ThreatFox: CountLoader IOCs rule detects potential adversary activity associated with the CountLoader malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.
IOC Summary
Malware Family: CountLoader Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | filezilla.cc | botnet_cc | 2026-06-03 | 100% |
| ip:port | 104[.]248[.]198[.]130:443 | botnet_cc | 2026-06-03 | 75% |
| domain | vdsina.vg | botnet_cc | 2026-06-03 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - CountLoader
let malicious_ips = dynamic(["104.248.198.130"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.248.198.130"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - CountLoader
let malicious_domains = dynamic(["filezilla.cc", "vdsina.vg"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using CountLoader
Description: A system administrator schedules a legitimate maintenance task using CountLoader to clean up temporary files.
Filter/Exclusion: process.name != "CountLoader" OR process.parent.name == "schtasks.exe"
Scenario: Security tool or EDR agent using CountLoader
Description: A security tool or endpoint detection and response (EDR) agent uses CountLoader as part of its telemetry or data collection process.
Filter/Exclusion: process.name != "CountLoader" OR process.parent.name == "Microsoft Defender for Endpoint"
Scenario: System update or patching process
Description: A system update or patching process uses CountLoader to manage temporary files or logs during the update.
Filter/Exclusion: process.name != "CountLoader" OR process.parent.name == "Windows Update"
Scenario: Log file aggregation using CountLoader
Description: A log aggregation tool uses CountLoader to process and consolidate log files from multiple sources.
Filter/Exclusion: process.name != "CountLoader" OR process.parent.name == "Splunk" OR process.parent.name == "ELK Stack"
Scenario: Database backup or restore operation
Description: A database backup or restore operation uses CountLoader to handle temporary data files or logs.
Filter/Exclusion: process.name != "CountLoader" OR process.parent.name == "SQL Server" OR process.parent.name == "MySQL"