The detection identifies potential GuLoader malware distribution through three malicious URLs linked to URLhaus, indicating an adversary may be using these URLs to deliver payloads and establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to disrupt initial compromise attempts and prevent lateral movement within the network.
IOC Summary
Threat: GuLoader Total URLs: 3 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://bgmotors.ro/Nonprovin.snp | online | malware_download | 2026-06-15 |
hxxp://104.239.66.104:8888/1/reosmesf967rgeaveon.jug | offline | malware_download | 2026-06-15 |
hxxp://104.239.66.104:8888/1/rgeaveonrgeaveon77.abb | offline | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: GuLoader
let malicious_domains = dynamic(["bgmotors.ro"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["bgmotors.ro"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via URLhaus
Description: A system update or patch is downloaded from a URLhaus-listed domain as part of a scheduled maintenance task.
Filter/Exclusion: Exclude URLs associated with known system update tools like WSUS, Microsoft Update, or Patch Management Systems (e.g., SCCM, Microsoft Endpoint Manager). Use a filter like:
(url contains "windowsupdate.microsoft.com" or url contains "microsoft.com/patch")Scenario: Admin task using GuLoader for legitimate testing
Description: An administrator uses a GuLoader-based tool (e.g., Metasploit, Empire, or Cobalt Strike) for red team testing or penetration testing.
Filter/Exclusion: Exclude traffic originating from admin accounts or specific user groups (e.g., Domain Admins, Security Team). Use a filter like:
(user contains "Domain Admins" or user contains "SecurityTeam")Scenario: Scheduled job downloading payloads for compliance
Description: A scheduled job (e.g., PowerShell, Python, or Ansible) is used to download payloads for compliance or audit purposes.
Filter/Exclusion: Exclude URLs that match known compliance or audit tools (e.g., Splunk, LogRhythm, IBM QRadar). Use a filter like:
(url contains "splunk.com" or url contains "ibm.com/qradar")Scenario: Internal tool using GuLoader for internal C2
Description: A company’s internal tool (e.g., Internal C2, Internal Beacon, or Internal Cobalt Strike) is using GuLoader for internal communication.
*Filter