The hypothesis is that the detected URLs are used by adversaries to exfiltrate credentials through the ACRStealer malware, leveraging compromised environments to steal sensitive data. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential credential theft operations before significant data loss occurs.
IOC Summary
Threat: ACRStealer Total URLs: 32 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://4wm0.woodflo.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://unitmed.goodwork.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://checkcipher.besthire.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://serv4base.veloxunit.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://edge3dist.veloxunit.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://node2flow.veloxunit.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://unit1meta.veloxunit.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://main4point.nuxbase.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://data3sync.nuxbase.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://gate2proxy.nuxbase.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://web1infra.nuxbase.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://sat4link.termocenter.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://rock3core.termocenter.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://base2steel.termocenter.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://moon1orbit.termocenter.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://open4space.altasync.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://vast3field.altasync.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://zone2area.altasync.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://rim1outer.altasync.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://path4gate.protovoda.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://view3sync.protovoda.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://scan2point.protovoda.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://room1dark.protovoda.in.net/verification.google | online | malware_download | 2026-03-19 |
hxxps://sync4vision.luxalabs.in.net/verification.google | offline | malware_download | 2026-03-19 |
hxxps://ghost3node.luxalabs.in.net/verification.google | offline | malware_download | 2026-03-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ACRStealer
let malicious_domains = dynamic(["edge3dist.veloxunit.in.net", "gate2proxy.nuxbase.in.net", "room1dark.protovoda.in.net", "unitmed.goodwork.in.net", "link4access.optigrid.in.net", "main4point.nuxbase.in.net", "node2flow.veloxunit.in.net", "data3sync.nuxbase.in.net", "web1infra.nuxbase.in.net", "serv4base.veloxunit.in.net", "4wm0.woodflo.in.net", "unit1meta.veloxunit.in.net", "checkcipher.besthire.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["edge3dist.veloxunit.in.net", "gate2proxy.nuxbase.in.net", "room1dark.protovoda.in.net", "unitmed.goodwork.in.net", "link4access.optigrid.in.net", "main4point.nuxbase.in.net", "node2flow.veloxunit.in.net", "data3sync.nuxbase.in.net", "web1infra.nuxbase.in.net", "serv4base.veloxunit.in.net", "4wm0.woodflo.in.net", "unit1meta.veloxunit.in.net", "checkcipher.besthire.in.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to validate link expiration or tracking functionality.
Filter/Exclusion: Exclude URLs containing known shortening domains (e.g., bit.ly, tinyurl.com, buff.ly) or filter by user agent matching administrative tools (e.g., Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0).
Scenario: A scheduled job runs a script to fetch updates from a public URLhaus mirror (e.g., https://urlhaus.abuse.ch/api/v1/) for threat intelligence purposes.
Filter/Exclusion: Exclude traffic to known URLhaus endpoints or filter by source IP of internal threat intelligence systems.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins, GitHub Actions) to fetch a dependency from a public repository (e.g., https://example.com/repo/acrstealer-latest.zip) for testing.
Filter/Exclusion: Exclude URLs matching known CI/CD artifact URLs or filter by request method (e.g., HEAD or OPTIONS) used for metadata retrieval.
Scenario: A security analyst is performing a red team exercise and uses a legitimate tool (e.g., PowerShell, curl, or wget) to download a test payload from a controlled environment.
Filter/Exclusion: Exclude URLs that match internal test environments or use a specific source IP range reserved for red team activities.
Scenario: A system is running a scheduled backup job that temporarily uses a cloud storage URL (e.g., https://s3.amazonaws.com/backup-bucket/acrstealer-test) to store temporary files.
**Filter/Exclusion