The detection identifies potential adversary activity involving the exfiltration of sensitive data through malicious URLs associated with the elf malware family. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data breaches or system persistence.
IOC Summary
Threat: elf Total URLs: 7 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://kaizen22.xyz/bins/kaizen.arm7 | offline | malware_download | 2026-06-04 |
hxxp://5.83.134.26/bins/arm4 | offline | malware_download | 2026-06-04 |
hxxp://5.83.134.26/mips | offline | malware_download | 2026-06-04 |
hxxp://5.83.134.26/mpsl | offline | malware_download | 2026-06-04 |
hxxp://5.83.134.26/bins/spc | offline | malware_download | 2026-06-04 |
hxxp://5.83.134.26/arm5 | offline | malware_download | 2026-06-04 |
hxxp://5.83.134.26/bins/x86_64 | offline | malware_download | 2026-06-04 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["kaizen22.xyz", "5.83.134.26"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["kaizen22.xyz", "5.83.134.26"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing a few test URLs.
Filter/Exclusion: Exclude URLs that match the domain of the internal testing environment (e.g., test.shorturlsvc.local).
Scenario: A scheduled job runs a nightly script that downloads and processes a list of known safe URLs from a trusted internal repository for compliance checks.
Filter/Exclusion: Exclude URLs that originate from the internal compliance server (e.g., compliance-repo.enterprise.com).
Scenario: A developer is using a local development tool (e.g., docker-compose) to spin up a test environment, which includes accessing a local URL for API testing.
Filter/Exclusion: Exclude URLs that contain the local development domain (e.g., localhost, 127.0.0.1, or dev.example.com).
Scenario: A security team member is performing a red team exercise and uses a legitimate tool (e.g., Metasploit) to simulate a phishing attack with a crafted URL.
Filter/Exclusion: Exclude URLs that are associated with internal red team infrastructure (e.g., redteam.lab.example.com).
Scenario: A system is running a legitimate scheduled job that fetches updates from a trusted internal URLhaus mirror for threat intelligence synchronization.
Filter/Exclusion: Exclude URLs that match the internal threat intelligence mirror domain (e.g., ti-mirror.enterprise.com).