Adversaries may use arm-related malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or legitimate Azure resources. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: arm Total URLs: 8 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://89.190.156.61/bins/Akiru.arm5n | online | malware_download | 2026-05-27 |
hxxp://89.190.156.61/bins/dlr.arm7 | online | malware_download | 2026-05-27 |
hxxp://89.190.156.61/bins/Akiru.arm7 | online | malware_download | 2026-05-27 |
hxxp://89.190.156.61/bins/dlr.arm5 | online | malware_download | 2026-05-27 |
hxxp://89.190.156.61/bins/dlr.arm6 | online | malware_download | 2026-05-27 |
hxxp://89.190.156.61/bins/Akiru.arm | online | malware_download | 2026-05-27 |
hxxp://89.190.156.61/bins/dlr.arm | online | malware_download | 2026-05-27 |
hxxp://89.190.156.61/bins/Akiru.arm6 | online | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["89.190.156.61"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["89.190.156.61"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by accessing a known benign URL from the URLhaus list as part of a validation process.
Filter/Exclusion: Exclude URLs that match the urlhaus tag or are part of a known validation/testing activity.
Scenario: A scheduled job runs a script to download and verify malware samples from a trusted repository, which includes URLs tagged as “arm” in URLhaus.
Filter/Exclusion: Exclude URLs that are part of a known malware repository or are accessed by a specific scheduled job with a defined name.
Scenario: An IT admin is performing a system cleanup and uses a tool like Sysinternals or Process Explorer to access a URL that is flagged as “arm” in URLhaus.
Filter/Exclusion: Exclude URLs accessed by processes related to system diagnostic tools like Process Explorer or Sysmon.
Scenario: A security team member is using a threat intelligence platform like Mandiant or CrowdStrike to access a URL for analysis, which is mistakenly tagged as “arm” in URLhaus.
Filter/Exclusion: Exclude URLs accessed by known threat intelligence platforms or by users with elevated privileges for analysis purposes.
Scenario: A CI/CD pipeline is pulling dependencies from a package manager like npm or Maven, and one of the URLs used is flagged as “arm” due to a false positive in URLhaus.
Filter/Exclusion: Exclude URLs that are part of a CI/CD pipeline or accessed by package managers like npm, Maven, or pip.