The ThreatFox: Satacom IOCs rule detects potential adversary activity linked to the Satacom threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Satacom Total IOCs: 5 IOC Types: url, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://opaqueshellsoftsmoke.monster/indexactiverevenue.php | payload_delivery | 2026-05-22 | 100% |
| url | hxxps://totebagsforwork.com/nfront.php | payload_delivery | 2026-05-22 | 100% |
| url | hxxps://totebagsforwork.com/nback.php | payload_delivery | 2026-05-22 | 100% |
| sha256_hash | 4e286cd901813a5f80411e417fb5defe25ff9af00706e68509392f6e75cc3908 | payload | 2026-05-22 | 100% |
| sha256_hash | f3ef4663e909e2545d25bdd0edc7ba4f88d197760921ca23e7dededf7326aa8e | payload | 2026-05-22 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Satacom
let malicious_urls = dynamic(["https://opaqueshellsoftsmoke.monster/indexactiverevenue.php", "https://totebagsforwork.com/nfront.php", "https://totebagsforwork.com/nback.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Satacom
let malicious_hashes = dynamic(["4e286cd901813a5f80411e417fb5defe25ff9af00706e68509392f6e75cc3908", "f3ef4663e909e2545d25bdd0edc7ba4f88d197760921ca23e7dededf7326aa8e"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule if the backup script or process includes paths or artifacts matching the Satacom IOCs.
Filter/Exclusion: Check for process.name containing “Veeam” or file.name containing “Veeam” in the event log.
Scenario: Windows Task Scheduler Running Administrative Maintenance Tasks
Description: A scheduled task using the Windows Task Scheduler to perform routine maintenance (e.g., disk cleanup, log rotation) may include command-line arguments or paths that match the Satacom IOCs.
Filter/Exclusion: Filter events where process.name is “schtasks.exe” or where event_id is related to task scheduler activity.
Scenario: PowerShell Script for System Monitoring Using PerfMon
Description: A PowerShell script that uses Performance Monitor (PerfMon) to collect system metrics may include commands or paths that resemble Satacom IOCs.
Filter/Exclusion: Filter events where process.name is “powershell.exe” and check for command_line containing “perfmon” or “perfmon.exe”.
Scenario: Database Backup Using SQL Server Agent Jobs
Description: A SQL Server Agent job that performs database backups may include scripts or paths that match the Satacom IOCs, especially if the backup path is in a shared directory.
Filter/Exclusion: Filter events where process.name is “sqlagent.exe” or where file.path contains “MSSQL” or “SQLServer”.
Scenario: Log Collection Using Splunk Forwarder
Description: A Splunk Universal Forwarder collecting logs from various systems may include configuration files or scripts that match the Satacom IOCs due