The hypothesis is that the detected malicious URLs are likely dropped by the Phorpiex malware to exfiltrate data or deliver payloads, indicating potential lateral movement or command and control activity. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate Phorpiex-based attacks before they cause significant damage.
IOC Summary
Threat: dropped-by-Phorpiex Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://178.16.54.109/nmixx.exe | online | malware_download | 2026-06-14 |
hxxp://178.16.54.109/us.exe | online | malware_download | 2026-06-14 |
hxxp://178.16.54.109/nmix.exe | online | malware_download | 2026-06-14 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: dropped-by-Phorpiex
let malicious_domains = dynamic(["178.16.54.109"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["178.16.54.109"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Phorpiex sandboxed environment and uploads a file containing known malicious URLs for analysis.
Filter/Exclusion: Exclude URLs that are part of internal testing environments or sandboxed analysis tools like Cuckoo Sandbox or Joe Sandbox.
Scenario: A scheduled job runs a script that downloads updates from a known secure source, which happens to include URLs flagged by URLhaus.
Filter/Exclusion: Exclude URLs that match known internal update servers or use wildcard filtering for domains like *.example.com or *.updates.example.com.
Scenario: A developer uses a code repository that includes URLs for API endpoints, which are mistakenly flagged by URLhaus due to a similarity with malicious URLs.
Filter/Exclusion: Exclude URLs that are part of GitHub Actions or CI/CD pipelines and match known internal development domains like dev.example.com or ci.example.com.
Scenario: A user receives a phishing email containing a URL that is flagged by URLhaus, but the URL is part of a legitimate external service used for customer support.
Filter/Exclusion: Exclude URLs that match known customer support domains like support.example.com or helpdesk.example.com, or use email filtering to identify phishing attempts.
Scenario: A system runs a scheduled backup job that temporarily stores files in a network share, which includes URLs that are mistakenly flagged by URLhaus.
Filter/Exclusion: Exclude URLs that are part of internal network shares or use file path filtering to exclude paths like \\fileserver\backup\* or /mnt/nfs/backup/*.