Adversaries may use arm-tagged malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or trusted domains to evade detection. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify potential command and control channels or initial compromise vectors.
IOC Summary
Threat: arm Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.202.249.34/zakarm5 | online | malware_download | 2026-06-03 |
hxxp://45.202.249.34/zakarm7 | online | malware_download | 2026-06-03 |
hxxp://45.202.249.34/zakarm6 | online | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["45.202.249.34"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.202.249.34"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus tag or are part of a known testing environment.
Scenario: A scheduled job runs a script to fetch updates from a trusted internal repository that includes a URL flagged by URLhaus due to a false positive in its database.
Filter/Exclusion: Exclude URLs that originate from internal repositories or are part of a known update mechanism.
Scenario: An IT admin is performing a system cleanup and is accessing a URL from URLhaus that was previously used to download a legitimate tool (e.g., 7-Zip or WinRAR) that is now outdated or no longer used.
Filter/Exclusion: Exclude URLs that are associated with known legitimate software download sources or are part of a legacy system.
Scenario: A user is accessing a URL from URLhaus that is part of a security research report or a threat intelligence feed used by the organization’s SOC team for analysis.
Filter/Exclusion: Exclude URLs that are part of internal threat intelligence platforms (e.g., Mandiant, CrowdStrike, or internal SIEM dashboards).
Scenario: A DevOps pipeline is executing a CI/CD job that pulls dependencies from a public artifact repository, and one of the URLs is mistakenly tagged as malicious by URLhaus.
Filter/Exclusion: Exclude URLs that are part of a CI/CD pipeline or are sourced from known package managers (e.g., npm, PyPI, or Maven).