The hypothesis is that an adversary is using malicious URLs hosted on a compromised server at 118-107-44-253:8080 to exfiltrate data or deploy payloads. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches or malware infections early.
IOC Summary
Threat: 118-107-44-253-8080 Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://118.107.44.253:8080/1.exe | online | malware_download | 2026-04-22 |
hxxp://118.107.44.253:8080/Isass.exe | online | malware_download | 2026-04-22 |
hxxp://118.107.44.253:8080/2.exe | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 118-107-44-253-8080
let malicious_domains = dynamic(["118.107.44.253"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["118.107.44.253"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Internal Development Server Hosting Legitimate Test URLs
Description: A developer uses a local server (e.g., httpd, nginx) to host internal test pages that are mistakenly tagged with the IP 118-107-44-253.
Filter/Exclusion: Exclude traffic originating from internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or filter by application name (e.g., dev-server, test-env).
Scenario: Scheduled Job Fetching Data from a Trusted API
Description: A cron job (e.g., cron, systemd.timer) or task scheduler (e.g., Windows Task Scheduler) regularly accesses a legitimate API endpoint that is incorrectly associated with the IP 118-107-44-253.
Filter/Exclusion: Exclude traffic from known scheduled job processes (e.g., cron, systemd, task scheduler) or filter by URL path (e.g., /api/v1/data).
Scenario: Admin Access to a Legitimate Internal Portal
Description: An admin uses a secure portal (e.g., JumpServer, Grafana, Splunk) that is hosted on a server with the IP 118-107-44-253, which is falsely flagged as malicious.
Filter/Exclusion: Exclude traffic from admin accounts (e.g., sudo, root, admin) or filter by user-agent strings associated with internal tools.
Scenario: Legitimate Software Update Server
Description: A company uses a self-hosted update server (e