The ThreatFox: Nova Stealer IOCs rule detects potential adversary activity associated with the Nova Stealer malware, which is known for stealing credentials and sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before they lead to data exfiltration or lateral movement.
IOC Summary
Malware Family: Nova Stealer Total IOCs: 2 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://104[.]243[.]35[.]237:8080/ | botnet_cc | 2026-05-28 | 50% |
| url | hxxp://208[.]115[.]220[.]30:8080/ | botnet_cc | 2026-05-28 | 50% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Nova Stealer
let malicious_urls = dynamic(["http://104.243.35.237:8080/", "http://208.115.220.30:8080/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate package that matches an IOC listed in the Nova Stealer detection rule.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Backup Job Using VSS
Description: A scheduled backup task uses Volume Shadow Copy Service (VSS) to create snapshots, which may trigger an IOC related to file system manipulation.
Filter/Exclusion: process.name != "vssadmin.exe" or process.parent.name != "schtasks.exe"
Scenario: Admin Task Using PowerShell for Log Management
Description: A system administrator runs a PowerShell script to rotate or manage logs, which may include file operations matching Nova Stealer IOCs.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "task scheduler"
Scenario: Legitimate Software Deployment via SCCM
Description: A Software Center (SCCM) deployment installs a legitimate application that includes files or registry keys matching the Nova Stealer IOC list.
Filter/Exclusion: process.name != "setup.exe" or process.parent.name != "ccmexec.exe"
Scenario: User-Initiated File Transfer via FTP
Description: A user transfers files via an FTP client, and the file names or paths match IOC patterns associated with Nova Stealer.
Filter/Exclusion: process.name != "ftpd.exe" or process.parent.name != "explorer.exe"