The hypothesis is that the detected URLs are associated with Mirai botnet infrastructure, potentially used to compromise IoT devices and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage Mirai-related attacks before they lead to large-scale botnet activity.
IOC Summary
Threat: mirai Total URLs: 56 Active URLs: 55
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.146/hiddenbin/boatnet.m68k | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.arm6 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.mips | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.arm7 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.arm | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.arm5 | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/x86_64 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.ppc | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.mpsl | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.arc | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/ohshit.sh | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.x86 | online | malware_download | 2026-05-25 |
hxxp://176.65.139.146/hiddenbin/boatnet.sh4 | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/mips | offline | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/arm | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/armv5l | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/spc | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/armv7l | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/sh4 | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/ppc | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/mpsl | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/armv6l | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/cat.sh | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/manual.sh | online | malware_download | 2026-05-25 |
hxxp://64.89.161.130/bins/m68k | online | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["151.242.30.51", "176.65.139.146", "64.89.161.130"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["151.242.30.51", "176.65.139.146", "64.89.161.130"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via URLhaus
Description: A system update or patch is downloaded from a URLhaus-listed domain, which is mistakenly flagged as Mirai-related.
Filter/Exclusion: Exclude URLs associated with known system update repositories (e.g., https://updates.microsoft.com, https://dl.google.com).
Scenario: Scheduled backup job using a Mirai-tagged URL
Description: A backup job configured to use a URLhaus-listed URL for storing backups, which is incorrectly flagged as Mirai-related.
Filter/Exclusion: Exclude URLs that match known backup storage endpoints (e.g., https://backup.example.com, https://cloud.example.com/backup).
Scenario: Admin task using a Mirai-tagged URL for asset inventory
Description: An admin task is using a URLhaus-listed URL to fetch asset inventory data from an internal tool, which is flagged as Mirai-related.
Filter/Exclusion: Exclude URLs that match internal asset management tools (e.g., https://inventory.example.com, https://assetdb.example.com).
Scenario: CI/CD pipeline artifact download from a Mirai-tagged URL
Description: A CI/CD pipeline is downloading a build artifact from a URLhaus-listed URL, which is incorrectly flagged as Mirai-related.
Filter/Exclusion: Exclude URLs that match known CI/CD artifact repositories (e.g., https://artifactory.example.com, https://nexus.example.com).
Scenario: Legitimate threat intelligence feed using a Mirai-tagged URL
Description: A security tool or SIEM is pulling threat intelligence from a URLhaus-listed URL, which is flagged as Mirai-related.
Filter/Exclusion: Exclude URLs that match known threat intelligence feeds (e.g., `https