The ThreatFox: Socks5 Systemz IOCs detect potential adversary activity associated with a known malicious group leveraging SOCKS5 proxies for command and control communications. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that use covert network tunnels to exfiltrate data and maintain persistence.
IOC Summary
Malware Family: Socks5 Systemz Total IOCs: 8 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | proxybox.io | botnet_cc | 2026-06-08 | 100% |
| domain | vsttorentz.net | botnet_cc | 2026-06-08 | 100% |
| domain | proxy.am | botnet_cc | 2026-06-08 | 100% |
| domain | ejvphud.ua | botnet_cc | 2026-06-08 | 100% |
| domain | gdpkvkr.com | botnet_cc | 2026-06-08 | 100% |
| domain | bwiesit.com | botnet_cc | 2026-06-08 | 100% |
| domain | goeiwef.com | botnet_cc | 2026-06-08 | 100% |
| domain | kruxjou.ua | botnet_cc | 2026-06-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Socks5 Systemz
let malicious_domains = dynamic(["proxybox.io", "vsttorentz.net", "proxy.am", "ejvphud.ua", "gdpkvkr.com", "bwiesit.com", "goeiwef.com", "kruxjou.ua"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using wget to download a package from a trusted internal repository
Filter/Exclusion: process.parent_process contains "yum" or "apt" or "dnf" or "zypper"
Scenario: Scheduled job using cron to fetch configuration files via Socks5 proxy for network monitoring
Filter/Exclusion: process.command_line contains "cron" or "systemd" and process.user contains "root" or "admin"
Scenario: Admin task using curl to retrieve internal metrics from a monitoring tool via Socks5 proxy
Filter/Exclusion: process.command_line contains "curl" and process.args contains "--proxy" and process.user contains "monitoring"
Scenario: Network diagnostic tool like tcpdump using Socks5 proxy for packet analysis
Filter/Exclusion: process.name contains "tcpdump" or "wireshark" and process.args contains "--proxy"
Scenario: Internal tool like SaltStack or Ansible using Socks5 proxy for configuration synchronization
Filter/Exclusion: process.name contains "salt" or "ansible" and process.args contains "--proxy" or "proxy-url"