The hypothesis is that the adversary is using the IP 94-249-230-150 to host or distribute malicious URLs as part of a campaign to compromise endpoints. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration attempts early.
IOC Summary
Threat: 94-249-230-150 Total URLs: 17 Active URLs: 10
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://94.249.230.150/arm6 | online | malware_download | 2026-06-20 |
hxxp://94.249.230.150/arm7 | offline | malware_download | 2026-06-20 |
hxxp://94.249.230.150/arc | online | malware_download | 2026-06-20 |
hxxp://94.249.230.150/curl.sh | online | malware_download | 2026-06-20 |
hxxp://94.249.230.150/mpsl | online | malware_download | 2026-06-20 |
hxxp://94.249.230.150/i586 | online | malware_download | 2026-06-20 |
hxxp://94.249.230.150/mips | online | malware_download | 2026-06-20 |
hxxp://94.249.230.150/m68k | online | malware_download | 2026-06-20 |
hxxp://94.249.230.150/wget.sh | online | malware_download | 2026-06-20 |
hxxp://94.249.230.150/i686 | offline | malware_download | 2026-06-20 |
hxxp://94.249.230.150/sh4 | offline | malware_download | 2026-06-20 |
hxxp://94.249.230.150/x86_64 | offline | malware_download | 2026-06-20 |
hxxp://94.249.230.150/ftpget.sh | offline | malware_download | 2026-06-20 |
hxxp://94.249.230.150/tftp.sh | offline | malware_download | 2026-06-20 |
hxxp://94.249.230.150/ppc | offline | malware_download | 2026-06-20 |
hxxp://94.249.230.150/sparc | online | malware_download | 2026-06-20 |
hxxp://94.249.230.150/arm5 | online | malware_download | 2026-06-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 94-249-230-150
let malicious_domains = dynamic(["94.249.230.150"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["94.249.230.150"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching job that downloads a known good URL from a trusted source.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., https://download.microsoft.com, https://releases.ubuntu.com) or use a regex to exclude URLs containing update, patch, or release.
Scenario: Scheduled backup job that transfers data over a secure connection using a URL that matches the malicious pattern.
Filter/Exclusion: Exclude URLs that contain backup, restore, or snapshot in the path, or filter by source IP if the backup server is known and trusted.
Scenario: Admin task to manually test a URL for security purposes, such as penetration testing or red team simulation.
Filter/Exclusion: Exclude URLs that contain test, simulate, or penetration in the query string or path, or use a whitelisted list of test domains.
Scenario: Internal tool or script that generates temporary URLs for internal use, such as short-lived tokens or session identifiers.
Filter/Exclusion: Exclude URLs that contain token, session, or temp in the path or query, or filter by domain if the internal tool uses a known internal domain.
Scenario: Automated log aggregation or monitoring tool that uses a URL to send data to a central logging server.
Filter/Exclusion: Exclude URLs that match known internal logging endpoints (e.g., https://logserver.example.com/api/logs) or filter by HTTP method (e.g., POST to known internal APIs).