Adversaries may be using the IP 138-124-117-90 to host or distribute malicious URLs as part of a campaign to compromise endpoints and exfiltrate data. SOC teams should proactively hunt for this IP in Azure Sentinel to identify potential command and control channels or initial compromise vectors before they lead to broader network breaches.
IOC Summary
Threat: 138-124-117-90 Total URLs: 9 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://138.124.117.90/bins/mipsel | offline | malware_download | 2026-06-26 |
hxxp://138.124.117.90/bins/systemcl/m68k | offline | malware_download | 2026-06-26 |
hxxp://138.124.117.90/bins/systemcl/x86_64 | offline | malware_download | 2026-06-26 |
hxxp://138.124.117.90/bins/arm64 | offline | malware_download | 2026-06-26 |
hxxp://138.124.117.90/bins/i386 | offline | malware_download | 2026-06-26 |
hxxp://138.124.117.90/bins/i586 | offline | malware_download | 2026-06-26 |
hxxp://138.124.117.90/bins/ppc | offline | malware_download | 2026-06-26 |
hxxp://138.124.117.90/s | offline | malware_download | 2026-06-26 |
hxxp://138.124.117.90/bins/sparc | offline | malware_download | 2026-06-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 138-124-117-90
let malicious_domains = dynamic(["138.124.117.90"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["138.124.117.90"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known benign URL tagged with the IP 138-124-117-90 for validation purposes.
Filter/Exclusion: Exclude URLs where the source is a known internal testing tool (e.g., curl, wget, or PowerShell scripts used in internal validation workflows).
Scenario: A scheduled job runs a nightly backup script that connects to a remote server using a URL associated with the IP 138-124-117-90 for configuration sync.
Filter/Exclusion: Exclude URLs originating from scheduled tasks or system services (e.g., crontab, Task Scheduler, or Windows Task Scheduler jobs).
Scenario: A security analyst is using the MITRE ATT&CK framework to simulate a phishing attack and includes a URL with the IP 138-124-117-90 as part of a red team exercise.
Filter/Exclusion: Exclude URLs that match known red team or training environments (e.g., URLs containing redteam, training, or simulate in the path or query parameters).
Scenario: A DevOps pipeline uses a CI/CD tool like Jenkins or GitLab CI to fetch dependencies from a private registry that is misconfigured and resolves to the IP 138-124-117-90.
Filter/Exclusion: Exclude URLs from known CI/CD tools (e.g., Jenkins, GitLab, GitHub Actions) or internal artifact repositories.
Scenario: An enterprise uses a third-party SaaS application that dynamically generates URLs with the IP 138-124-117-90 as part of its API endpoints, which are flagged due to