URLhaus: apk Malicious URLs

Hunt Hypothesis

The hypothesis is that the detected malicious URLs are likely used by adversaries to distribute malware disguised as APK files, enabling unauthorized access and persistence on infected devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of mobile endpoints before significant damage occurs.

IOC Summary

Threat: apk Total URLs: 3 Active URLs: 3

URL	Status	Threat	Date Added
`hxxps://2026rupolice.vercel.app/?download=1`	online	malware_download	2026-06-09
`hxxps://news24-ebon.vercel.app/?download=1`	online	malware_download	2026-06-09
`hxxps://spiskisvo.xyz/%D0%90%D0%9A%D0%A2%D0%A3%D0%90%D0%9B%D0%AC%D0%9D%D0%AB%D0%99_%D0%A1%D0%9F%D0%98%D0%A1%D0%9E%D0%9A.apk`	online	malware_download	2026-06-09

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: apk 
let malicious_domains = dynamic(["spiskisvo.xyz", "2026rupolice.vercel.app", "news24-ebon.vercel.app"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["spiskisvo.xyz", "2026rupolice.vercel.app", "news24-ebon.vercel.app"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: Legitimate Android App Update Distribution
Description: A system administrator is distributing a legitimate Android app update via a company-managed repository, which includes .apk files.
Filter/Exclusion: Exclude URLs that match internal package management systems (e.g., internal-repo.example.com, artifactory.example.com) or use a filter like:
```
(url contains "internal-repo" or url contains "artifactory") and (url contains ".apk")
```
Scenario: Scheduled Job for Android App Signing
Description: A scheduled job runs to sign and package Android apps using tools like jarsigner or apksigner, generating temporary .apk files during the process.
Filter/Exclusion: Exclude URLs that contain job names or timestamps (e.g., signing-job-20250410.apk) or use a filter like:
```
(url contains "signing-job" or url contains "apksigner") and (url contains ".apk")
```
Scenario: User-Initiated File Transfer via WebDAV
Description: A user is transferring a .apk file via WebDAV to a shared folder for internal testing or distribution.
Filter/Exclusion: Exclude URLs that match internal WebDAV endpoints (e.g., webdav.example.com/teams/IT) or use a filter like:
```
(url contains "webdav.example.com" or url contains "teams/IT") and (url contains ".apk")
```
Scenario: Android App Packaging Tool Usage
Description: A developer is using tools like Android Studio or Gradle to build and package an .apk file as part of the development lifecycle.
*