The detection identifies potential PureHVNC malware distribution through malicious URLs, which are known to be used in advanced persistent threat campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Threat: PureHVNC Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://solar-sanat.net/eagleClient004.exe | online | malware_download | 2026-06-03 |
hxxps://solar-sanat.net/EagleWingsDNA04.exe | online | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: PureHVNC
let malicious_domains = dynamic(["solar-sanat.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["solar-sanat.net"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a security tool by downloading a known benign URL from the URLhaus database for analysis.
Filter/Exclusion: Exclude URLs that match the urlhaus database and are tagged as benign or test.
Scenario: A scheduled job runs to update the internal threat intelligence feed, which includes URLs from URLhaus.
Filter/Exclusion: Exclude URLs that are part of the internal threat intelligence update process and are sourced from a trusted internal feed.
Scenario: An IT staff member is using a legitimate tool like PowerShell or Python to automate the retrieval of URLs for a security assessment.
Filter/Exclusion: Exclude URLs that are associated with known security assessment tools or scripts used by the internal security team.
Scenario: A user is accessing a legitimate internal portal that uses a URL format similar to those in the PureHVNC family for internal authentication purposes.
Filter/Exclusion: Exclude URLs that are part of the internal authentication system or match the internal domain patterns used by the organization.
Scenario: A system is running a legitimate scheduled task that uses a tool like wget or curl to fetch configuration files from a known internal server.
Filter/Exclusion: Exclude URLs that are part of the internal configuration management system or match the internal server IP ranges.