The detection identifies potential botnet C2 communication through malicious URLs sourced from URLhaus, indicating an adversary is attempting to maintain persistent remote control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to disrupt command-and-control channels and prevent data exfiltration and lateral movement.
IOC Summary
Threat: botnet Total URLs: 13 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://31.57.129.10/bins/ecryptfsd | offline | malware_download | 2026-05-23 |
hxxp://31.57.129.10:8000/bins/ecryptfsd | offline | malware_download | 2026-05-23 |
hxxp://31.57.129.10/bins/jbd2_sda1d | offline | malware_download | 2026-05-23 |
hxxp://31.57.129.10:8000/bins/loader.sh | offline | malware_download | 2026-05-23 |
hxxps://simonizauto.com/wp-includes/fonts/loader.sh | offline | malware_download | 2026-05-23 |
hxxp://176.65.139.182/phantom.sh | offline | malware_download | 2026-05-23 |
hxxp://31.57.129.10/bins/loader.sh | offline | malware_download | 2026-05-23 |
hxxp://5.175.249.163/bins/morte.x86_64 | offline | malware_download | 2026-05-23 |
hxxp://5.175.249.163:8080/b?k=bbee54406bdf5263ce87a60545079a1b | offline | malware_download | 2026-05-23 |
hxxps://tpkpolus.ru/wp-content/plugins/dvgfltm/aa/loader.sh | offline | malware_download | 2026-05-23 |
hxxps://www.simonizauto.com/wp-includes/fonts/loader.sh | offline | malware_download | 2026-05-23 |
hxxp://103.82.25.124/loader.sh | offline | malware_download | 2026-05-23 |
hxxp://85.17.200.10/loader.sh | offline | malware_download | 2026-05-23 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: botnet
let malicious_domains = dynamic(["31.57.129.10", "103.82.25.124", "www.simonizauto.com", "tpkpolus.ru", "176.65.139.182", "simonizauto.com", "5.175.249.163", "85.17.200.10"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["31.57.129.10", "103.82.25.124", "www.simonizauto.com", "tpkpolus.ru", "176.65.139.182", "simonizauto.com", "5.175.249.163", "85.17.200.10"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patching tool (e.g., Windows Update, Microsoft Endpoint Manager) downloads a legitimate update from a URLhaus-listed domain.
Filter/Exclusion: Exclude URLs matching known update servers (e.g., update.microsoft.com, download.microsoft.com) or use a whitelist of trusted domains for system updates.
Scenario: A scheduled job (e.g., schtasks.exe) runs a legitimate script that temporarily accesses a URLhaus-listed domain for API calls or configuration data.
Filter/Exclusion: Exclude processes associated with known task schedulers (e.g., schtasks.exe, taskhost.exe) or filter by process name and command-line arguments.
Scenario: An admin uses a legitimate remote management tool (e.g., Microsoft Intune, VMware vRealize) to access a URLhaus-listed domain for policy or configuration synchronization.
Filter/Exclusion: Exclude traffic from known management tools or IP ranges associated with enterprise management platforms.
Scenario: A security tool (e.g., CrowdStrike Falcon, Microsoft Defender) performs a network scan or signature update that accesses a URLhaus-listed domain.
Filter/Exclusion: Exclude traffic initiated by security tools or from known security vendor IP ranges.
Scenario: A developer uses a CI/CD pipeline (e.g., Jenkins, GitHub Actions) to fetch dependencies or artifacts from a URLhaus-listed domain during a build process.
Filter/Exclusion: Exclude URLs related to CI/CD tools or filter by user-agent strings associated with development environments.