The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 17 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://31.56.209.222/zero.sh4 | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.x86 | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.sparc | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.armv6l | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.armv5l | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.mips | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.armv7l | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.mipsrouter | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.armv4l | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.m68k | online | malware_download | 2026-06-01 |
hxxp://31.56.209.222/zero.mipsel | online | malware_download | 2026-06-01 |
hxxp://31.56.209.85/mipsle | online | malware_download | 2026-06-01 |
hxxp://31.56.209.85/mips | online | malware_download | 2026-06-01 |
hxxp://176.65.139.195/bins/parm7 | offline | malware_download | 2026-06-01 |
hxxp://206.168.201.246:49048/Mozi.m | offline | malware_download | 2026-06-01 |
hxxp://175.107.205.18:57277/Mozi.7 | offline | malware_download | 2026-06-01 |
hxxp://91.92.42.126:8081/b | offline | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["31.56.209.222", "31.56.209.85"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["31.56.209.222", "31.56.209.85"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by accessing a known safe URL that matches the pattern of malicious URLs in the URLhaus list.
Filter/Exclusion: Exclude URLs that are part of internal testing environments or whitelisted domains (e.g., internal.test.urlhaus.org).
Scenario: A scheduled job runs a nightly script to fetch and process data from a public API that includes URLs formatted similarly to those in the URLhaus list.
Filter/Exclusion: Exclude URLs that match the known safe API endpoints (e.g., api.example.com/data).
Scenario: An IT admin is performing a system cleanup and manually deletes old files from a shared drive, which includes a file named elf that is not malicious.
Filter/Exclusion: Exclude processes or files related to system cleanup tasks (e.g., CleanupScript.exe or C:\Cleanup\*).
Scenario: A developer is using a code linter tool that generates temporary files with names like elf during the build process.
Filter/Exclusion: Exclude files or processes associated with development tools (e.g., C:\DevTools\* or ProcessName: CodeLinter.exe).
Scenario: A security analyst is reviewing a threat intelligence report and manually accesses a URL listed in URLhaus as part of a red team exercise.
Filter/Exclusion: Exclude URLs that are part of controlled environments or red team testing (e.g., redteam.example.com or TestURLhausEntry.com).