The detection identifies potential adversary activity involving malicious URLs associated with the URLhaus entry 282234, which are known to be linked to malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging these URLs for command and control or data exfiltration.
IOC Summary
Threat: 282234 Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://196.251.107.104/NuclearBomb.exe | online | malware_download | 2026-06-12 |
hxxp://196.251.107.104/sprd2.exe | online | malware_download | 2026-06-12 |
hxxp://196.251.107.104/bot_x64.exe | online | malware_download | 2026-06-12 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 282234
let malicious_domains = dynamic(["196.251.107.104"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["196.251.107.104"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by accessing a known safe URL from the URLhaus list as part of a validation process.
Filter/Exclusion: Exclude URLs that match the urlhaus tag or any URLs associated with internal testing environments.
Scenario: A scheduled job runs a script that fetches updates from a trusted source (e.g., wget or curl) and includes a URL tagged as 282234 as part of a version check or dependency update.
Filter/Exclusion: Exclude URLs that originate from known update servers or match the urlhaus tag during scheduled job execution.
Scenario: A user is accessing a legitimate phishing training page hosted on a secure internal server, which includes a URL that happens to be listed in URLhaus due to a false positive.
Filter/Exclusion: Exclude URLs that are internal or match the internal or phishing-training tags.
Scenario: A security tool like OSSEC or Snort is configured to periodically check for known malicious URLs and includes a test URL from URLhaus as part of its health check.
Filter/Exclusion: Exclude URLs that are part of known security tool test cases or match the test or health-check tags.
Scenario: A DevOps pipeline uses Jenkins or GitHub Actions to deploy code and includes a URL from URLhaus as part of a dependency resolution process, which is later flagged as malicious.
Filter/Exclusion: Exclude URLs that are part of CI/CD pipelines or match the ci-cd or dependency tags.