The ThreatFox: SnappyClient IOCs rule detects potential adversary activity linked to the SnappyClient malware, which is associated with advanced persistent threat (APT) groups known for targeted attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.
IOC Summary
Malware Family: SnappyClient Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]92[.]240[.]107:3334 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 91[.]92[.]240[.]107:3333 | botnet_cc | 2026-06-24 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SnappyClient
let malicious_ips = dynamic(["91.92.240.107"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.92.240.107"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using SnappyClient
Description: A legitimate scheduled backup job is using SnappyClient to archive system files.
Filter/Exclusion: process.name != "snappyclient.exe" OR process.parent.name == "schtasks.exe"
Scenario: Admin Task to Update SnappyClient Configuration
Description: An administrator is manually updating the configuration of SnappyClient via a script or command line.
Filter/Exclusion: process.name != "snappyclient.exe" OR user.name == "admin"
Scenario: Internal Tool for Log Aggregation Using SnappyClient
Description: A company’s internal log aggregation tool uses SnappyClient to collect and compress logs.
Filter/Exclusion: process.name != "snappyclient.exe" OR process.parent.name == "logagent.exe"
Scenario: SnappyClient Used for File Compression in Development Environment
Description: Developers are using SnappyClient to compress large datasets as part of a development task.
Filter/Exclusion: process.name != "snappyclient.exe" OR process.parent.name == "devtools.exe"
Scenario: SnappyClient Invoked by a Legitimate Service for Data Sync
Description: A data synchronization service triggers SnappyClient to compress and transfer files between servers.
Filter/Exclusion: process.name != "snappyclient.exe" OR process.parent.name == "syncsvc.exe"