The ThreatFox: FAKEUPDATES IOCs detection rule identifies potential adversary activity linked to a known malicious campaign distributing fake software updates, which could be used to deploy malware or steal credentials. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate early-stage compromise attempts by threat actors leveraging social engineering and supply chain attacks.
IOC Summary
Malware Family: FAKEUPDATES Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | dev-portal.ptbaconsulting.com | botnet_cc | 2026-05-19 | 100% |
| domain | api.operilezabre.com | payload_delivery | 2026-05-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - FAKEUPDATES
let malicious_domains = dynamic(["dev-portal.ptbaconsulting.com", "api.operilezabre.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update Job
Description: A scheduled job runs wuauclt.exe (Windows Update Agent) to check for and install updates.
Filter/Exclusion: Exclude processes where the parent process is svchost.exe and the command line includes /detectnow or /updatenow.
Scenario: Admin Performing Manual System Update
Description: An administrator manually initiates a system update using the wuauclt.exe tool.
Filter/Exclusion: Exclude processes with the user context of a known admin account and command lines containing /detectnow or /updatenow.
Scenario: Scheduled Antivirus Scan Using Windows Defender
Description: A scheduled antivirus scan is initiated by Windows Defender, which may use similar process names or behaviors.
Filter/Exclusion: Exclude processes where the parent is services.exe and the process name is MsMpEng.exe or MsMpSta.exe.
Scenario: PowerShell Script for Patch Management
Description: A PowerShell script is used to automate patch management tasks, which may invoke update-related processes.
Filter/Exclusion: Exclude processes where the command line includes -File or -ScriptBlock and the script path is within a known enterprise patch management directory.
Scenario: Software Deployment via Group Policy
Description: A Group Policy Object (GPO) triggers a software update deployment, which may involve update-related processes.
Filter/Exclusion: Exclude processes where the parent is lsass.exe and the command line includes gpupdate or wuauclt.exe with /detectnow.