The detection identifies potential adversary activity involving malicious URLs associated with a ransomware-as-a-service (RaaS) framework, indicating an active compromise or exfiltration attempt. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware threats before they cause significant data loss or operational disruption.
IOC Summary
Threat: rat Total URLs: 4 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://baskor.mypi.co/optimized_MSI.png | online | malware_download | 2026-06-15 |
hxxps://nickart.ro/img_014506.png | online | malware_download | 2026-06-15 |
hxxps://web.opendrive.com/api/v1/download/file.json/ODVfODYxODAzNTBf?temp_key=%A2%9Bb%9A%2C%DEt%C4%88%A6x&inline=0 | online | malware_download | 2026-06-15 |
hxxps://od.lk/d/ODVfODYxODAzNTBf/optimized_MSI.png | offline | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: rat
let malicious_domains = dynamic(["baskor.mypi.co", "web.opendrive.com", "nickart.ro"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["baskor.mypi.co", "web.opendrive.com", "nickart.ro"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint security tool by visiting a known benign test URL that is mistakenly flagged as a RAT URL.
Filter/Exclusion: Exclude URLs that match known test environments or internal testing domains (e.g., test.example.com, internal-testing.lab).
Scenario: A scheduled job runs a script that downloads a legitimate software update from a trusted source, which coincidentally matches a URL in the URLhaus RAT list.
Filter/Exclusion: Exclude URLs that match known software update servers (e.g., updates.microsoft.com, download.docker.com).
Scenario: A user is accessing a legitimate remote desktop service (e.g., RDP or TeamViewer) from a known internal IP range, which is falsely identified as a RAT URL.
Filter/Exclusion: Exclude connections originating from internal IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16) or known remote access tools (e.g., TeamViewer, AnyDesk).
Scenario: A DevOps pipeline is executing a CI/CD job that pulls a dependency from a public repository, and the URL of the dependency is falsely flagged as a RAT URL.
Filter/Exclusion: Exclude URLs that match known package managers or repositories (e.g., npmjs.org, maven.apache.org, pypi.org).
Scenario: An IT helpdesk technician is using a remote support tool (e.g., LogMeIn, Remote Desktop) to assist an end-user, and the connection is flagged as a RAT URL.
Filter/Exclusion: Exclude connections initiated from known helpdesk IP ranges or remote support tools (e.g., logmein.com, remotedesktop.microsoft.com).