The ThreatFox: SectopRAT IOCs rule detects potential adversary activity associated with the SectopRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: SectopRAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 212[.]43[.]148[.]167:9000 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 212[.]43[.]148[.]237:9000 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 212[.]43[.]148[.]105:9000 | botnet_cc | 2026-05-24 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SectopRAT
let malicious_ips = dynamic(["212.43.148.105", "212.43.148.237", "212.43.148.167"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["212.43.148.105", "212.43.148.237", "212.43.148.167"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate software package that coincidentally matches one of the IOCs associated with SectopRAT.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled System Maintenance Task
Description: A scheduled task runs a script that downloads a file matching an IOC, but it is part of a routine system maintenance or patching process.
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "schtasks.exe"
Scenario: Admin Using Process Monitor for Debugging
Description: An administrator is using Process Monitor (ProcMon) to debug a legitimate application, and the tool’s activity triggers one of the SectopRAT IOCs.
Filter/Exclusion: process.name != "procmon.exe" or process.parent.name != "procmon.exe"
Scenario: Legitimate File Download via PowerShell
Description: A PowerShell script is used to download a legitimate file from a trusted source, and the file path or hash matches an IOC from SectopRAT.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "powershell.exe"
Scenario: Backup Job Using RoboCopy
Description: A backup job using RoboCopy is copying files, and the destination or source path matches an IOC associated with SectopRAT.
Filter/Exclusion: process.name != "robocopy.exe" or process.parent.name != "robocopy.exe"