The hypothesis is that an adversary is using the IP 176-65-139-121 to host or redirect to malicious URLs as part of a campaign to compromise endpoints and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: 176-65-139-121 Total URLs: 11 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.121/iran.sparc | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.mips | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.i486 | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.sh4 | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.armv7l | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.m68k | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.x86_64 | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.aarch64 | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.mipsrouter | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.armv4l | offline | malware_download | 2026-06-04 |
hxxp://176.65.139.121/iran.arc | offline | malware_download | 2026-06-04 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-121
let malicious_domains = dynamic(["176.65.139.121"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.121"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system update job
Description: A system update job runs nightly and accesses a URL from the IP 176-65-139-121 to download patches.
Filter/Exclusion: Exclude traffic from the system update scheduler (e.g., task scheduler, cron job, or Windows Update task) or filter by URL containing update.microsoft.com or patchserver.microsoft.com.
Scenario: Internal network discovery tool scanning for vulnerabilities
Description: An internal tool like Nessus or OpenVAS is scanning the network and is resolving DNS queries through the IP 176-65-139-121 as part of its scan process.
Filter/Exclusion: Exclude traffic from the IP of the vulnerability scanner or filter by DNS queries originating from the internal security tool (e.g., nessusd, openvasd).
Scenario: Admin performing remote PowerShell script execution
Description: An admin is using PowerShell to execute a script that connects to a remote server (hosted on 176-65-139-121) to perform administrative tasks.
Filter/Exclusion: Exclude traffic from admin accounts (e.g., User-Agent containing PowerShell or filter by source IP of the admin workstation).
Scenario: Cloud provider IP range overlap
Description: The IP 176-65-139-121 is part of a cloud provider’s IP range (e.g., AWS, Azure, or GCP) and is being used by a legitimate cloud service.
Filter/Exclusion: Exclude traffic from known cloud provider IP ranges (e.g., using iprange filters in SIEM or checking against