Adversaries may be using known malicious URLs to download malware into the network, leveraging compromised or phishing-based delivery methods. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 21 Active URLs: 10
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://pub-340aa1a9ccc64f6b871a4c31ff93a5a6.r2.dev/DEDEwidth1234.png | offline | malware_download | 2026-06-09 |
hxxp://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/HnDvE/ | offline | malware_download | 2026-06-09 |
hxxps://dawn-bush-ddd1.yasminanthonyy.workers.dev/dNLRP | offline | malware_download | 2026-06-09 |
hxxp://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/pKTrG | online | malware_download | 2026-06-09 |
hxxp://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/mcslb | online | malware_download | 2026-06-09 |
hxxps://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/jsPtG | online | malware_download | 2026-06-09 |
hxxps://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/xiykS | online | malware_download | 2026-06-09 |
hxxp://104.168.70.165/22/img_102554.png | online | malware_download | 2026-06-09 |
hxxp://31.77.57.234/180/img_185101.png | online | malware_download | 2026-06-09 |
hxxps://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/fWdrA | online | malware_download | 2026-06-09 |
hxxps://getabre.com/NDYNuw | offline | malware_download | 2026-06-09 |
hxxps://pub-e2490b2d81b147ac978f21eab73fe8c4.r2.dev/lasaas.png | online | malware_download | 2026-06-09 |
hxxp://104.168.70.165/22/wedidbestthingswithbetterplaceformygirl.hta | offline | malware_download | 2026-06-09 |
hxxps://getabre.com/wDUtLv | offline | malware_download | 2026-06-09 |
hxxp://31.77.57.234/180/wegivenbestthingsforbetterplaceforme.hta | offline | malware_download | 2026-06-09 |
hxxp://31.77.57.234/httpswww.pcmag.compicksthe-best-cloud-storage-and-file-sharing-servicestest_uuid=05ZUPUtSJIjL9ET37tWfQcl&test_variant=APP.php | offline | malware_download | 2026-06-09 |
hxxps://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/sqxOi | offline | malware_download | 2026-06-09 |
hxxps://pub-ad9c25de14a347bf8934835d655aafc1.r2.dev/FILAI.png | online | malware_download | 2026-06-09 |
hxxp://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/WrkWF | online | malware_download | 2026-06-09 |
hxxp://104.168.70.165/httpswww.pcmag.compicksthe-best-cloud-storage-and-file-sharing-servicestest_uuid=05ZUPUtSJIjL9ET37tWfQcl&test_variant=EVC.php | offline | malware_download | 2026-06-09 |
hxxp://27.215.55.30:60914/bin.sh | offline | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev", "pub-e2490b2d81b147ac978f21eab73fe8c4.r2.dev", "104.168.70.165", "31.77.57.234", "pub-ad9c25de14a347bf8934835d655aafc1.r2.dev"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev", "pub-e2490b2d81b147ac978f21eab73fe8c4.r2.dev", "104.168.70.165", "31.77.57.234", "pub-ad9c25de14a347bf8934835d655aafc1.r2.dev"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job downloads a known malicious URL as part of a system update or patching process.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., https://updates.microsoft.com, https://dl.google.com/linux).
Scenario: Admin Access via Remote Desktop
Description: An admin uses a remote desktop tool (e.g., mstsc.exe, rdesktop) to access a remote server, and the connection URL is flagged as malicious.
Filter/Exclusion: Exclude URLs containing rdp or mstsc in the path, or filter by IP ranges used for internal RDP access.
Scenario: Log Collection via SIEM Tools
Description: A SIEM tool (e.g., Splunk, ELK) is configured to collect logs from remote servers, and the collection URL is falsely flagged as malicious.
Filter/Exclusion: Exclude URLs that match known SIEM or log management endpoints (e.g., https://splunk-logs.example.com, https://logstash.example.com).
Scenario: Software Deployment via Configuration Management
Description: A configuration management tool (e.g., Ansible, Puppet) downloads a package from a trusted repository (e.g., https://repo.example.com) which is mistakenly tagged as malicious.
Filter/Exclusion: Exclude URLs that match internal artifact repositories or use known package managers (e.g., https://artifactory.example.com).
Scenario: Internal Monitoring Tool with External API
Description: An internal monitoring tool (e.g., Prometheus, Grafana) uses an external API (e.g., https://api.example.com/metrics) that is flagged as malicious due to a false positive.
Filter/Exclusion: