The ThreatFox: Satacom IOCs rule detects potential adversary activity linked to the Satacom threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: Satacom Total IOCs: 5 IOC Types: url, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://opaqueshellsoftsmoke.monster/indexactiverevenue.php | payload_delivery | 2026-05-22 | 100% |
| url | hxxps://totebagsforwork.com/nfront.php | payload_delivery | 2026-05-22 | 100% |
| url | hxxps://totebagsforwork.com/nback.php | payload_delivery | 2026-05-22 | 100% |
| sha256_hash | 4e286cd901813a5f80411e417fb5defe25ff9af00706e68509392f6e75cc3908 | payload | 2026-05-22 | 100% |
| sha256_hash | f3ef4663e909e2545d25bdd0edc7ba4f88d197760921ca23e7dededf7326aa8e | payload | 2026-05-22 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Satacom
let malicious_urls = dynamic(["https://opaqueshellsoftsmoke.monster/indexactiverevenue.php", "https://totebagsforwork.com/nfront.php", "https://totebagsforwork.com/nback.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Satacom
let malicious_hashes = dynamic(["4e286cd901813a5f80411e417fb5defe25ff9af00706e68509392f6e75cc3908", "f3ef4663e909e2545d25bdd0edc7ba4f88d197760921ca23e7dededf7326aa8e"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule if the backup script or process matches one of the Satacom IOCs.
Filter/Exclusion: process.name != "vbm.exe" OR process.name != "vpxa.exe"
Scenario: Admin Task for Log Collection Using Splunk Forwarder
Description: A system administrator may run a Splunk Universal Forwarder process to collect logs, which could be flagged if the process name or command line matches a Satacom IOC.
Filter/Exclusion: process.name != "splunkforwarder.exe" OR process.name != "splunkd.exe"
Scenario: Database Maintenance Using SQL Server Agent Job
Description: A SQL Server Agent job running maintenance tasks (e.g., index rebuilds, backups) may trigger the rule if the job execution path or command line matches a Satacom IOC.
Filter/Exclusion: process.name != "sqlservr.exe" OR process.name != "sqlagent.exe"
Scenario: Network Monitoring with Wireshark
Description: A network analyst using Wireshark to capture and analyze network traffic may trigger the rule if the capture process or command line includes a Satacom IOC.
Filter/Exclusion: process.name != "wireshark.exe" OR process.name != "tshark.exe"
Scenario: Patch Management Using Microsoft System Center Configuration Manager (SCCM)
Description: A patch deployment task using SCCM may trigger the rule if the deployment script or process includes a Satacom IOC.
Filter/Exclusion: process.name != "ccmexec.exe" OR process.name != "smsexec.exe"