The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and contain potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 7 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.116.116.135:42966/bin.sh | online | malware_download | 2026-05-25 |
hxxps://kevtel.com/rawww.exe | online | malware_download | 2026-05-25 |
hxxp://196.251.107.217/public_files/4EsUv5e.txt | online | malware_download | 2026-05-25 |
hxxp://196.251.107.217/public_files/160066.jpg?12711313 | online | malware_download | 2026-05-25 |
hxxp://62.60.226.200/public_files/160066.jpg?12711313p | offline | malware_download | 2026-05-25 |
hxxp://toptionlab.co.za/nm.js | offline | malware_download | 2026-05-25 |
hxxps://toptionlab.co.za/nm.js | online | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["toptionlab.co.za", "kevtel.com", "182.116.116.135", "196.251.107.217"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["toptionlab.co.za", "kevtel.com", "182.116.116.135", "196.251.107.217"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known security testing domains (e.g., testmaliciousurl.com, vulnscan.org) or include a flag in the URL indicating it’s a test payload (e.g., ?test=true).
Scenario: A scheduled job is executing a script that downloads a legitimate update from a trusted source, such as a software vendor’s repository.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., updates.microsoft.com, downloads.apache.org) or include a signature like update or patch in the URL path.
Scenario: An IT admin is using a tool like PowerShell or Cron to perform a system cleanup or configuration change, which involves downloading a script from an internal repository.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or internal domain names (e.g., internal-repo.corp.example.com) or include a source parameter indicating internal use.
Scenario: A user is accessing a phishing simulation URL hosted by a security awareness training platform like KnowBe4 or PhishMe.
Filter/Exclusion: Exclude URLs that match known phishing simulation domains (e.g., phishsim.example.com, training.example.org) or include a query parameter like sim=true.
Scenario: A legitimate software deployment process uses a tool like Ansible or Chef to pull configuration files or binaries from a private artifact repository.
Filter/Exclusion: Exclude URLs that are part of a known CI/CD pipeline (e.g., artifactory.example.com, nexus.example.com) or include a ci=true or pipeline=true parameter.