The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 12 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://152.89.76.240/bins/monero.x86_64 | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.arm6 | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.arm7 | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.ppc | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.m68k | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.mips | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.arm | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.arm8 | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.x86 | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.arm5 | offline | malware_download | 2026-06-20 |
hxxp://152.89.76.240/bins/monero.mipsel | offline | malware_download | 2026-06-20 |
hxxp://bitter-handsome-truck.digivmm.katapult.cloud/bins/monero.mipsel | offline | malware_download | 2026-06-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["bitter-handsome-truck.digivmm.katapult.cloud", "152.89.76.240"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["bitter-handsome-truck.digivmm.katapult.cloud", "152.89.76.240"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing a few legitimate .elf files for internal tooling validation.
Filter/Exclusion: Exclude URLs containing the string internal.test or dev.tools in the domain or path.
Scenario: A scheduled job runs a script that downloads a .elf file from a trusted internal repository to update a custom application.
Filter/Exclusion: Exclude URLs that match the internal artifact repository domain, such as artifacts.corp.example.com.
Scenario: A developer is using a CI/CD pipeline to build a container image, and the build process temporarily downloads a .elf binary from a trusted registry for testing purposes.
Filter/Exclusion: Exclude URLs that include the substring ci-cd-registry.example.com or build-artifact.
Scenario: A security analyst is performing a red team exercise and is using a known benign .elf file to simulate a phishing attack on internal systems.
Filter/Exclusion: Exclude URLs that contain the query parameter simulate=true or originate from a sandboxed environment like sandbox.redteam.example.com.
Scenario: A system is running a scheduled backup job that archives logs to a remote server, and the backup process includes a .elf file as part of a log compression tool.
Filter/Exclusion: Exclude URLs that include the path /backup/logs/ or match the backup server domain backup.example.com.