The ThreatFox: Latrodectus IOCs rule detects potential adversary activity linked to the Latrodectus threat group, which is associated with malicious network traffic and command-and-control communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats.
IOC Summary
Malware Family: Latrodectus Total IOCs: 12 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | cartasella.com | payload_delivery | 2026-05-29 | 75% |
| domain | foliclesalonandspa.com | payload_delivery | 2026-05-29 | 75% |
| domain | buzzwellcatering.com | payload_delivery | 2026-05-29 | 75% |
| domain | farrdigital.com | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://timeofoffer.com/bne/ | payload_delivery | 2026-05-29 | 75% |
| domain | noellepullin.com | payload_delivery | 2026-05-29 | 75% |
| domain | azahabi.com | payload_delivery | 2026-05-29 | 75% |
| domain | lfumachineworks.com | payload_delivery | 2026-05-29 | 75% |
| domain | legalbriefgenerator.com | payload_delivery | 2026-05-29 | 75% |
| domain | clientpilotclosers.com | payload_delivery | 2026-05-29 | 75% |
| domain | aecidiabi.com | payload_delivery | 2026-05-29 | 75% |
| domain | rjwinter.com | payload_delivery | 2026-05-29 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Latrodectus
let malicious_domains = dynamic(["cartasella.com", "foliclesalonandspa.com", "buzzwellcatering.com", "farrdigital.com", "noellepullin.com", "azahabi.com", "lfumachineworks.com", "legalbriefgenerator.com", "clientpilotclosers.com", "aecidiabi.com", "rjwinter.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Latrodectus
let malicious_urls = dynamic(["https://timeofoffer.com/bne/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches one of the IOCs (e.g., psutil or subprocess).
Filter/Exclusion: Exclude processes initiated by schtasks.exe or with a command line containing /S (scheduled task flag).
Scenario: Admin Task – PowerShell Script for Log Analysis
Description: An admin runs a PowerShell script using powershell.exe that includes a command matching an IOC (e.g., Get-EventLog).
Filter/Exclusion: Exclude processes with powershell.exe and command lines containing -Command or -File that reference known admin scripts.
Scenario: Software Update or Patching Tool
Description: A legitimate patching tool like Microsoft Update or WSUS includes a file or command that matches an IOC.
Filter/Exclusion: Exclude processes from known update tools (e.g., wusa.exe, msiexec.exe) or with parent processes from the update service.
Scenario: Database Backup Job Using SQLCMD
Description: A SQL backup job uses sqlcmd.exe with a command line that includes a string matching an IOC.
Filter/Exclusion: Exclude processes with sqlcmd.exe and parent processes from SQL Server services (e.g., sqlservr.exe).
Scenario: Network Monitoring Tool with Custom Scripts
Description: A network monitoring tool like Wireshark or tcpdump runs a script that includes a command matching an IOC.
Filter/Exclusion: Exclude processes with tcpdump.exe or wireshark.exe and command lines containing -w (write to file) or -i (interface).