Adversaries may use arm-related malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or legitimate Azure resources for command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of cloud infrastructure.
IOC Summary
Threat: arm Total URLs: 5 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://95.214.53.157:37641/yui/ar712 | online | malware_download | 2026-06-14 |
hxxp://95.214.53.157:37641/yui/ar512 | online | malware_download | 2026-06-14 |
hxxp://bitter-handsome-truck.digivmm.katapult.cloud/monero.arm7 | offline | malware_download | 2026-06-14 |
hxxp://bitter-handsome-truck.digivmm.katapult.cloud/monero.arm | offline | malware_download | 2026-06-14 |
hxxp://152.89.76.240/monero.arm | offline | malware_download | 2026-06-14 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["95.214.53.157"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["95.214.53.157"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a security tool by downloading a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus domain or any known safe test URLs used in security tool validation.
Scenario: A scheduled job runs a script that fetches updates from a trusted source (e.g., update.packages.microsoft.com) which is mistakenly tagged as “arm” in the URLhaus database.
Filter/Exclusion: Exclude URLs containing the domain update.packages.microsoft.com or any Microsoft update endpoints.
Scenario: An IT team is performing a system cleanup and uses a legitimate tool like CCleaner to remove temporary files, which includes a URL that is falsely tagged as “arm” in the URLhaus database.
Filter/Exclusion: Exclude URLs that match the ccleaner.com domain or any known legitimate cleanup tool endpoints.
Scenario: A user is accessing a legitimate internal portal (e.g., internal.portal.example.com) that is incorrectly tagged as “arm” in the URLhaus database.
Filter/Exclusion: Exclude URLs that match the internal domain internal.portal.example.com or any internal company URLs.
Scenario: A DevOps pipeline is using a CI/CD tool like Jenkins to pull a dependency from a repository (e.g., maven.apache.org) which is falsely flagged as “arm” in the URLhaus database.
Filter/Exclusion: Exclude URLs that match the maven.apache.org domain or any known CI/CD tool artifact repositories.