The hypothesis is that the detected malicious URLs are likely used by adversaries to distribute malware, specifically APK files, to compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware distribution campaigns before they cause widespread damage.
IOC Summary
Threat: apk Total URLs: 7 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://bedrive.ru/d7e0?download_token=8fd14012ea855aa9faf80c8eb1af722badb53202b93e2f60115069ac45612e91 | online | malware_download | 2026-06-10 |
hxxps://2026ruproishestviyi.vercel.app/?download=1 | online | malware_download | 2026-06-10 |
hxxps://bedrive.ru/d7e0?download_token=39b398d20f8fb10382d430e67c7c9de8aee2e70b95f4c135360967a0b8b53b0d | online | malware_download | 2026-06-10 |
hxxps://gosuslugi-help.vercel.app/?download=1 | online | malware_download | 2026-06-10 |
hxxps://max-files.vercel.app/?download=1 | online | malware_download | 2026-06-10 |
hxxps://infohelprus.vercel.app/?download=1 | online | malware_download | 2026-06-10 |
hxxps://photomaxost.vercel.app/ | online | malware_download | 2026-06-10 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: apk
let malicious_domains = dynamic(["infohelprus.vercel.app", "gosuslugi-help.vercel.app", "2026ruproishestviyi.vercel.app", "bedrive.ru", "max-files.vercel.app", "photomaxost.vercel.app"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["infohelprus.vercel.app", "gosuslugi-help.vercel.app", "2026ruproishestviyi.vercel.app", "bedrive.ru", "max-files.vercel.app", "photomaxost.vercel.app"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually downloading a legitimate APK file from a trusted repository (e.g., F-Droid) to test an internal application.
Filter/Exclusion: Exclude URLs containing fdroid.org or f-droid.org in the URL field.
Scenario: A scheduled job is running a script that downloads a signed APK file from an internal artifact repository (e.g., Nexus Repository) for deployment.
Filter/Exclusion: Exclude URLs that match the internal artifact repository domain (e.g., nexus.internal.company.com) or contain /artifactory/ in the path.
Scenario: A developer is using Android Studio to debug an app and temporarily installs an APK file from the local file system.
Filter/Exclusion: Exclude URLs that start with file:// or are flagged as local file paths in the URL field.
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender for Endpoint is performing a scheduled scan and downloads a known-good APK for signature analysis.
Filter/Exclusion: Exclude URLs containing crowdstrike.com or microsoft.com in the URL field, or filter by the source IP of the security tool.
Scenario: A DevOps pipeline is using a CI/CD tool like Jenkins or GitLab CI to push a new APK to a test environment, which is then installed by a device.
Filter/Exclusion: Exclude URLs that match the CI/CD tool’s internal artifact URL pattern (e.g., ci.pipeline.company.com) or use a tag like ci-artifact in the URL.