The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 28 Active URLs: 15
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://85.204.125.76/attack_bot | offline | malware_download | 2026-05-25 |
hxxp://176.65.139.61/bluefix.mipsel | online | malware_download | 2026-05-25 |
hxxp://176.65.139.61/bluefix.aarch64 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.61/bluefix.x86_64 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.61/bluefix.powerpc | online | malware_download | 2026-05-25 |
hxxp://176.65.139.61/bluefix.mips | online | malware_download | 2026-05-25 |
hxxp://176.65.139.61/bluefix.armv7 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.107/nig.mips | online | malware_download | 2026-05-25 |
hxxp://176.65.139.61/bluefix.x86 | online | malware_download | 2026-05-25 |
hxxp://blacknigger.boo/nig.x86 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.107/nig.powerpc | online | malware_download | 2026-05-25 |
hxxp://176.65.139.107/nig.x86 | online | malware_download | 2026-05-25 |
hxxp://blacknigger.boo/nig.mips | online | malware_download | 2026-05-25 |
hxxp://blacknigger.boo/nig.powerpc | online | malware_download | 2026-05-25 |
hxxp://blacknigger.boo/nig.arm7 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.107/nig.arm7 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.168/bins/sora.mips64 | offline | malware_download | 2026-05-25 |
hxxp://176.65.139.115/bins/xnxnxnxnxnxnxnxnloongarch64xnxn | offline | malware_download | 2026-05-25 |
hxxp://176.65.139.115/bins/xnxnxnxnxnxnxnxnsh4xnxn | offline | malware_download | 2026-05-25 |
hxxp://176.65.139.115/bins/xnxnxnxnxnxnxnxnmipsxnxn | offline | malware_download | 2026-05-25 |
hxxp://176.65.139.115/bins/xnxnxnxnxnxnxnxnriscv32xnxn | offline | malware_download | 2026-05-25 |
hxxp://176.65.139.115/bins/xnxnxnxnxnxnxnxnriscv64xnxn | offline | malware_download | 2026-05-25 |
hxxp://176.65.139.115/bins/xnxnxnxnxnxnxnxnm68kxnxn | offline | malware_download | 2026-05-25 |
hxxp://176.65.139.115/bins/xnxnxnxnxnxnxnxni386xnxn | offline | malware_download | 2026-05-25 |
hxxp://176.65.139.168/bins/sora.sparc | offline | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["176.65.139.107", "blacknigger.boo", "176.65.139.61"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.107", "blacknigger.boo", "176.65.139.61"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing a scheduled backup and the backup tool (e.g., rsync, Veeam, or CommCell) generates temporary files with .elf extensions for compatibility or logging purposes.
Filter/Exclusion: Exclude files created by backup tools or system maintenance scripts using a file path filter (e.g., /var/backups/, /tmp/, or C:\Windows\Temp\).
Scenario: A developer is testing a custom application that dynamically generates .elf files for testing purposes (e.g., using Python’s subprocess or CMake build scripts).
Filter/Exclusion: Exclude files generated by known development tools or within specific project directories (e.g., /opt/myapp/build/, /home/dev/project/).
Scenario: A system update or patching process (e.g., using Ansible, Chef, or Puppet) deploys a package that includes a .elf file as part of a service configuration or log file.
Filter/Exclusion: Exclude files with known update directories (e.g., /var/cache/apt/, /tmp/patching/, or /opt/patch/).
Scenario: A log aggregation tool (e.g., Fluentd, Logstash, or Splunk) writes temporary .elf files to disk for processing, especially when handling binary logs or custom formats.
Filter/Exclusion: Exclude files in log processing directories (e.g., /var/log/processing/, /opt/logstash/tmp/, or /usr/share/splunk/).
Scenario: A system monitoring tool (e.g., Prometheus, Grafana, or Zabbix) generates temporary .elf files for storing metrics or configuration data.
Filter/Exclusion: Exclude files in monitoring