Adversaries may be using malicious URLs from URLhaus to download malware into compromised environments. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 24 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://61.179.64.34:58175/bin.sh | online | malware_download | 2026-04-23 |
hxxp://103.164.128.58:46877/i | online | malware_download | 2026-04-23 |
hxxp://116.139.183.5:48771/i | online | malware_download | 2026-04-23 |
hxxps://09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com/ugd/09c1d5_5408372e708a48629b728d0ea386361c.txt | offline | malware_download | 2026-04-23 |
hxxps://missusecapmrch.blogspot.com/ailimius.otd?m=1/ | offline | malware_download | 2026-04-23 |
hxxps://himachaly17aplr.blogspot.com/atom.xml | offline | malware_download | 2026-04-23 |
hxxps://htlwub00k.blogspot.com/phukli.docx | offline | malware_download | 2026-04-23 |
hxxps://missusecapmrch.blogspot.com/ailimius.otd?m=1 | offline | malware_download | 2026-04-23 |
hxxps://missusecapmrch.blogspot.com/atom.xml | offline | malware_download | 2026-04-23 |
hxxps://09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com/ugd/09c1d5_95941126f4e0499ba380d354c8f595e2.txt | offline | malware_download | 2026-04-23 |
hxxps://missusecapmrch.blogspot.com/atom.xml?m=1 | offline | malware_download | 2026-04-23 |
hxxps://09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com/ugd/09c1d5_e294b64717f9404887beb0ddc0ef324e.txt | offline | malware_download | 2026-04-23 |
hxxp://missusecapmrch.blogspot.com/atom.xml | offline | malware_download | 2026-04-23 |
hxxps://himachaly17aplr.blogspot.com//////////////////////////////////////scooba.docx.pdf | offline | malware_download | 2026-04-23 |
hxxps://nadcapfeb25-26.blogspot.com/atom.xml | offline | malware_download | 2026-04-23 |
hxxps://paypal.auth-sharefile.com | offline | malware_download | 2026-04-23 |
hxxps://missusecapmrch.blogspot.com/atom.xml?m=1/ | offline | malware_download | 2026-04-23 |
hxxp://09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com/ugd/09c1d5_5408372e708a48629b728d0ea386361c.txt | offline | malware_download | 2026-04-23 |
hxxps://htlwub00k.blogspot.com/atom.xml | offline | malware_download | 2026-04-23 |
hxxp://missusecapmrch.blogspot.com/atom.xml?m=1 | offline | malware_download | 2026-04-23 |
hxxps://nadcapfeb25-26.blogspot.com/atom.xml?m=1 | offline | malware_download | 2026-04-23 |
hxxps://nadcapfeb25-26.blogspot.com/march.pdf | offline | malware_download | 2026-04-23 |
hxxps://missusecapmrch.blogspot.com/ailimius.otd | offline | malware_download | 2026-04-23 |
hxxp://221.15.15.51:54089/bin.sh | online | malware_download | 2026-04-23 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["103.164.128.58", "61.179.64.34", "116.139.183.5", "221.15.15.51"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["103.164.128.58", "61.179.64.34", "116.139.183.5", "221.15.15.51"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known security testing domains (e.g., testmaliciousurl.com, vulnscan.org) or use a field like urlhaus_tag to exclude entries tagged as security_test.
Scenario: A scheduled job is configured to fetch updates from a third-party repository that uses a URL flagged as malicious by URLhaus, but is actually safe.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., updates.examplecorp.com, repo.example.com) or use a field like urlhaus_tag to exclude entries tagged as false_positive.
Scenario: An enterprise uses a legitimate tool like PowerShell or Windows Task Scheduler to execute scripts that temporarily download files from a URL that is later flagged as malicious.
Filter/Exclusion: Exclude URLs that are associated with internal tools (e.g., internal-tools.example.com) or use a field like process_name to exclude processes like powershell.exe or taskhost.exe.
Scenario: A user is accessing a legitimate phishing simulation URL that is mistakenly flagged by URLhaus.
Filter/Exclusion: Exclude URLs that match known phishing simulation domains (e.g., phishsim.example.com, training.example.org) or use a field like urlhaus_tag to exclude entries tagged as phishing_sim.
Scenario: A system is configured to use a legitimate third-party API that requires a URL to be passed as a parameter, which is later flagged as malicious.
Filter/Exclusion: Exclude URLs that match known API endpoints (e.g., api.example.com/v1/data) or use a field like urlhaus_tag to exclude entries tagged as api_call.