The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 43 Active URLs: 35
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://72.61.196.110/n2/x86_64 | offline | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bins/main.x86_64 | offline | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bins/boatnet.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/n2/untouchable.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bin/untouchable.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bins/untouchable.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bins/untouchable.x86_64 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bin/tadashi.x86_64 | offline | malware_download | 2026-06-26 |
hxxp://72.61.196.110/n2//bot.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bins/boatnet.x86_64 | offline | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bins/sora.x86_64 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bins/tuxbot.x86_64 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/n2/tuxbot.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/n2/bot.x86_64 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/n2/tadashi.x86_64 | offline | malware_download | 2026-06-26 |
hxxp://72.61.196.110/n2/main.x86_64 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/n2/boatnet.x86_64 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/n2/sora.x86_64 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bins/main.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bins/x86_64 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/hiddenbin/tuxbot.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bin/main.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bin/bot.x86 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bin/boatnet.x86_64 | online | malware_download | 2026-06-26 |
hxxp://72.61.196.110/bin/nerv.x86_64 | online | malware_download | 2026-06-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["72.61.196.110"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["72.61.196.110"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by downloading a known safe ELF file from a trusted internal repository.
Filter/Exclusion: Exclude URLs that match internal repository domains (e.g., internal-repo.company.com) or use a filter like url contains "internal-repo".
Scenario: A scheduled job runs to update a custom-built application that requires downloading a signed ELF binary from a known secure source.
Filter/Exclusion: Exclude URLs that match the application update server (e.g., update.server.company.com) or use a filter like url contains "update.server".
Scenario: A developer is using a CI/CD pipeline to build a Docker image, which includes pulling a trusted ELF binary from a public container registry.
Filter/Exclusion: Exclude URLs that match container registry domains (e.g., registry.hub.docker.com) or use a filter like url contains "registry.hub.docker.com".
Scenario: A system is running a scheduled backup job that archives logs to an internal storage system, which includes a script that uses a known ELF file for compression.
Filter/Exclusion: Exclude URLs that match internal storage paths (e.g., internal-storage.company.com) or use a filter like url contains "internal-storage".
Scenario: A security team is performing a red team exercise and is using a legitimate ELF file as part of a controlled simulation.
Filter/Exclusion: Exclude URLs that match red team infrastructure (e.g., redteam.company.local) or use a filter like url contains "redteam" or url contains "simulated".