The detection identifies potential HijackLoader malware activity by matching known malicious IOCs, indicating an adversary may be establishing persistence or executing malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: HijackLoader Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | webfloweu.com | botnet_cc | 2026-06-06 | 100% |
| domain | webupdateflow.com | botnet_cc | 2026-06-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - HijackLoader
let malicious_domains = dynamic(["webfloweu.com", "webupdateflow.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using HijackLoader-Related Tools
Description: A scheduled job runs a legitimate system maintenance tool like schtasks.exe or task scheduler to perform routine system cleanup.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler service or processes with CommandLine containing schtasks.exe or schtasks /create.
Scenario: Admin Task Involving Process Injection
Description: An administrator uses a legitimate tool like Process Explorer or Procmon to debug or monitor processes, which may involve process injection techniques.
Filter/Exclusion: Exclude processes launched by Process Explorer or Procmon or those with ParentProcess matching known admin tools.
Scenario: Software Deployment Using HijackLoader-Related Scripts
Description: A deployment script (e.g., PowerShell.exe or msiexec.exe) is used to install legitimate software, which may include similar command-line arguments to malicious payloads.
Filter/Exclusion: Exclude processes with CommandLine containing msiexec.exe, PowerShell.exe, or setup.exe and with ParentProcess matching a known deployment tool.
Scenario: Network Monitoring Tool Generating False Positives
Description: A network monitoring tool like Wireshark or tcpdump is used to capture and analyze traffic, which may include payloads resembling HijackLoader IOCs.
Filter/Exclusion: Exclude processes with ProcessName matching Wireshark.exe, tcpdump.exe, or nmap.exe.
Scenario: System Update or Patching Process
Description: A system update or patching process (e.g., Windows Update or WSUS) may involve temporary files or processes that match the rule’s IOCs.