The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command and control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 10 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://dyuthiengineering.com/d.js | payload_delivery | 2026-05-07 | 100% |
| domain | dyuthiengineering.com | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://openrelayzone.top/rate/rate-effect.js | payload_delivery | 2026-05-07 | 100% |
| domain | openrelayzone.top | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://openrelayzone.top/rate/principal-client.php | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://openrelayzone.top/rate/api-template.js | payload_delivery | 2026-05-07 | 100% |
| url | hxxp://178[.]156[.]241[.]213 | payload_delivery | 2026-05-07 | 100% |
| url | hxxp://5[.]78[.]87[.]19 | payload_delivery | 2026-05-07 | 100% |
| url | hxxps://advancedpatternlab.com/yup | payload_delivery | 2026-05-07 | 100% |
| domain | advancedpatternlab.com | payload_delivery | 2026-05-07 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["dyuthiengineering.com", "openrelayzone.top", "advancedpatternlab.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://dyuthiengineering.com/d.js", "https://openrelayzone.top/rate/rate-effect.js", "https://openrelayzone.top/rate/principal-client.php", "https://openrelayzone.top/rate/api-template.js", "http://178.156.241.213", "http://5.78.87.19", "https://advancedpatternlab.com/yup"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication and the backup process generates temporary files matching SmartApeSG IOCs.
Filter/Exclusion: Exclude files created by veeam or processes with veeam in the command line.
Scenario: A Windows Task Scheduler job is configured to run PowerShell scripts for system monitoring, and one of the scripts uses a legitimate PowerShell module that matches a SmartApeSG IOC.
Filter/Exclusion: Exclude processes launched by schtasks.exe or scripts with .ps1 extensions executed via Task Scheduler.
Scenario: A Docker container is running a legitimate application, and the container’s runtime environment includes a file or network connection that matches a SmartApeSG IOC.
Filter/Exclusion: Exclude processes running inside Docker containers by checking the container_id field or using the docker process name.
Scenario: A Windows Update or Microsoft Endpoint Manager (MEM) task is deploying a patch, and the update package contains a file that matches a SmartApeSG IOC due to a false positive in the hash.
Filter/Exclusion: Exclude files signed by Microsoft or associated with Windows Update by checking the file_hash against known Microsoft hashes or the process_name field.
Scenario: A SIEM log collection agent (e.g., Splunk Universal Forwarder) is writing logs to a file system, and the log file path or content matches a SmartApeSG IOC.
Filter/Exclusion: Exclude files or processes associated with the Splunk Forwarder by checking the process_name for splunkforwarder or the file_path for Splunk-specific directories.