The hypothesis is that the detected URLs are part of a campaign using ASCII-encoded malicious payloads to evade basic URL filtering and delivery payloads to compromised hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control communications or data exfiltration attempts.
IOC Summary
Threat: ascii Total URLs: 10 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://bgmotors.ro/Chil.thn | online | malware_download | 2026-06-15 |
hxxps://hikmah69.net/wp-includes/theme-compat/nvfexht/uandeso/plftkrv/ojstub.ps1 | offline | malware_download | 2026-06-15 |
hxxps://cembusconfort.ro/Exoticisms121.dsp | online | malware_download | 2026-06-15 |
hxxp://85.121.240.117/AbgbIpo.txt | online | malware_download | 2026-06-15 |
hxxps://cembusconfort.ro/Grundfladernes.lpk | online | malware_download | 2026-06-15 |
hxxp://85.121.240.117/ASdoIee.txt | online | malware_download | 2026-06-15 |
hxxp://85.121.240.117/IfadgiF.txt | online | malware_download | 2026-06-15 |
hxxp://85.121.240.117/jkdekmk.txt | online | malware_download | 2026-06-15 |
hxxps://paste.sensio.no/CertainWhenever | offline | malware_download | 2026-06-15 |
hxxp://5.175.223.249/mass | offline | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ascii
let malicious_domains = dynamic(["bgmotors.ro", "cembusconfort.ro", "85.121.240.117"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["bgmotors.ro", "cembusconfort.ro", "85.121.240.117"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service using a known safe ASCII URL for internal validation.
Filter/Exclusion: Exclude URLs containing the substring test-shortener.example.com or any URL that includes the query parameter ?test=true.
Scenario: A scheduled job runs a script that fetches ASCII-encoded data from a legitimate API endpoint for log analysis.
Filter/Exclusion: Exclude URLs that match the pattern api.loganalysis.example.com/* or any URL containing the path /v1/logs.
Scenario: A developer is using a tool like curl or wget to fetch ASCII-encoded configuration files from an internal repository during a deployment.
Filter/Exclusion: Exclude URLs that include the domain internal-repo.example.com or any URL with the path /config/ascii.
Scenario: A security tool like OSSEC or Splunk is configured to send ASCII-formatted alerts to a centralized logging system for correlation.
Filter/Exclusion: Exclude URLs that contain the string alert-logs.example.com or any URL with the query parameter ?format=ascii.
Scenario: A DevOps team uses Ansible or Chef to push ASCII-encoded scripts to managed nodes during a configuration update.
Filter/Exclusion: Exclude URLs that match the domain configmgr.example.com or any URL containing the path /scripts/ascii.