The hypothesis is that the adversary is using malicious URLs associated with the IP 87-121-79-223 to exfiltrate data or deploy malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: 87-121-79-223 Total URLs: 7 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://87.121.79.223/mpsl | online | malware_download | 2026-06-20 |
hxxp://87.121.79.223/sh4 | online | malware_download | 2026-06-20 |
hxxp://87.121.79.223/arm | online | malware_download | 2026-06-20 |
hxxp://87.121.79.223/m68k | online | malware_download | 2026-06-20 |
hxxp://87.121.79.223/arm5 | online | malware_download | 2026-06-20 |
hxxp://87.121.79.223/arm7 | online | malware_download | 2026-06-20 |
hxxp://87.121.79.223/a.sh | offline | malware_download | 2026-06-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 87-121-79-223
let malicious_domains = dynamic(["87.121.79.223"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["87.121.79.223"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled PowerShell script runs daily to clean temporary files and logs, and it makes a benign request to a URL associated with the IP 87-121-79-223.
Filter/Exclusion: Exclude requests made by PowerShell scripts with the PS process name and originating from scheduled tasks (Task Scheduler).
Scenario: Admin task to update internal proxy configuration
Description: An administrator manually updates the proxy settings using a script or tool like netsh or ie4uinit.exe, which may trigger a request to a URL associated with the IP 87-121-79-223.
Filter/Exclusion: Exclude traffic from processes associated with administrative tasks (e.g., netsh, ie4uinit.exe, or user accounts with admin privileges).
Scenario: Legitimate outbound API call from a monitoring tool
Description: A tool like Datadog or New Relic sends a heartbeat or metric to a third-party service, and the IP 87-121-79-223 is part of their infrastructure.
Filter/Exclusion: Exclude traffic from known monitoring tools (e.g., datadog-agent, newrelic-infra) or specific domains used by these services.
Scenario: Internal DNS query to a public DNS resolver
Description: An internal DNS query to a public DNS resolver (e.g., Cloudflare DNS at 1.1.1.1) might resolve to the IP 87-121-79-223 due to a misconfigured DNS record or caching.
Filter/Exclusion: Exclude DNS queries to public resolvers (e.g.,