The hypothesis is that the detected URLs are part of a campaign using ASCII-encoded malicious payloads to evade basic URL filtering and delivery payloads to compromised hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control communications or data exfiltration attempts.
IOC Summary
Threat: ascii Total URLs: 6 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://deltahub.vip/delta.hta | offline | malware_download | 2026-06-09 |
hxxp://cat.xiaoshabi.nl/mon.txt | offline | malware_download | 2026-06-09 |
hxxp://cat.xiaoshabi.nl/min.txt | offline | malware_download | 2026-06-09 |
hxxp://cat.xiaoshabi.nl/uas.txt | offline | malware_download | 2026-06-09 |
hxxp://cat.xiaoshabi.nl/cohernece.txt | offline | malware_download | 2026-06-09 |
hxxp://cat.xiaoshabi.nl/access.txt | offline | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ascii
let malicious_domains = dynamic(["cat.xiaoshabi.nl", "deltahub.vip"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["cat.xiaoshabi.nl", "deltahub.vip"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service using ASCII-encoded URLs for internal validation.
Filter/Exclusion: Exclude URLs containing the string test-shortener or internal-validation in the domain or path.
Scenario: A scheduled job runs a script that generates ASCII art for reporting purposes, and the script includes a URL to a public ASCII art repository.
Filter/Exclusion: Exclude URLs that match the domain ascii-art.org or contain the path /art/.
Scenario: A DevOps team uses a CI/CD pipeline that includes a step to fetch ASCII-encoded documentation from a public repository during artifact builds.
Filter/Exclusion: Exclude URLs containing the substring docs/ or ci-artifact/ in the path.
Scenario: An IT support team uses a ticketing system that generates ASCII art for visual representation of ticket statuses, and the system includes a URL to a public ASCII art service.
Filter/Exclusion: Exclude URLs that match the domain status-ascii.com or contain the query parameter format=ascii.
Scenario: A security tool or SIEM system is configured to use a public ASCII art generator for visual alerts, and the tool includes a URL to an external ASCII art API.
Filter/Exclusion: Exclude URLs containing the domain ascii-alerts.net or the query parameter alert-type=ascii.