The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, which may indicate the presence of advanced or novel malware. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 23 IOC Types: ip:port, url, sha256_hash, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]133[.]158[.]34:8443 | botnet_cc | 2026-05-21 | 75% |
| domain | adflow.monster | payload_delivery | 2026-05-21 | 100% |
| domain | themagicneedle.monster | payload_delivery | 2026-05-21 | 100% |
| domain | exportearth.monster | payload_delivery | 2026-05-21 | 100% |
| domain | adtraffic.monster | payload_delivery | 2026-05-21 | 100% |
| domain | jogosdecarrobr.monster | payload_delivery | 2026-05-21 | 100% |
| domain | spacezonepage.monster | payload_delivery | 2026-05-21 | 100% |
| domain | bigddeaf.monster | payload_delivery | 2026-05-21 | 100% |
| domain | yinava.monster | payload_delivery | 2026-05-21 | 100% |
| url | hxxps://pafu.eco.to/ | payload_delivery | 2026-05-21 | 90% |
| sha256_hash | e746712a83e1a908e16c2495fd75dde22950b6e09c7ee9a8e148318d48950f5e | payload | 2026-05-21 | 75% |
| url | hxxp://aulinked.org/infos.php?fronts=1 | payload_delivery | 2026-05-21 | 75% |
| sha256_hash | c4277ff9fed179249daf8b8d76f6be7613bea7bd5e742950cfb77c20e0e0cca5 | payload | 2026-05-21 | 75% |
| url | hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t9 | payload_delivery | 2026-05-21 | 75% |
| sha256_hash | 3b2f273bb402523c62608495108f9d3a771cfbd10f721e8f87076fee62edd4ae | payload | 2026-05-21 | 75% |
| domain | finger.aulinked.org | payload_delivery | 2026-05-21 | 75% |
| url | hxxps://platecrumbs.com/ | payload_delivery | 2026-05-21 | 90% |
| url | hxxps://www.dunebuggydubai.ae/ | payload_delivery | 2026-05-21 | 90% |
| domain | slndcdnclaud.beer | payload_delivery | 2026-05-21 | 100% |
| domain | ns1cdnclaude.beer | payload_delivery | 2026-05-20 | 100% |
| domain | bootstrup-cdnmaper.beer | payload_delivery | 2026-05-20 | 100% |
| domain | nsserv-bootstru.beer | payload_delivery | 2026-05-20 | 100% |
| ip:port | 107[.]189[.]25[.]70:7443 | botnet_cc | 2026-05-20 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["45.133.158.34", "107.189.25.70"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.133.158.34", "107.189.25.70"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["adflow.monster", "themagicneedle.monster", "exportearth.monster", "adtraffic.monster", "jogosdecarrobr.monster", "spacezonepage.monster", "bigddeaf.monster", "yinava.monster", "finger.aulinked.org", "slndcdnclaud.beer", "ns1cdnclaude.beer", "bootstrup-cdnmaper.beer", "nsserv-bootstru.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://pafu.eco.to/", "http://aulinked.org/infos.php?fronts=1", "https://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t9", "https://platecrumbs.com/", "https://www.dunebuggydubai.ae/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["e746712a83e1a908e16c2495fd75dde22950b6e09c7ee9a8e148318d48950f5e", "c4277ff9fed179249daf8b8d76f6be7613bea7bd5e742950cfb77c20e0e0cca5", "3b2f273bb402523c62608495108f9d3a771cfbd10f721e8f87076fee62edd4ae"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that generates network traffic matching an IOC associated with unknown malware.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" OR process.parent.name != "services.exe"
Scenario: Admin Performing System Update via Windows Update
Description: A system update process downloads a file that matches an IOC from ThreatFox, but is actually a legitimate Windows update.
Filter/Exclusion: process.name != "wuauclt.exe" OR file.hash != "known Windows update hash"
Scenario: Log Collection and Monitoring Tool (e.g., Splunk, ELK)
Description: A log collection tool uploads logs to a remote server, and the upload path matches an IOC flagged as unknown malware.
Filter/Exclusion: process.name != "splunkd.exe" OR process.name != "logstash" OR destination.ip IN ("known log server IPs")
Scenario: Backup Job Using Veeam or Acronis
Description: A backup job transfers data to a remote backup server, and the transfer path is flagged as an IOC.
Filter/Exclusion: process.name != "veeam.exe" OR process.name != "acronis" OR destination.ip IN ("backup server IPs")
Scenario: Internal Code Signing or Certificate Management Task
Description: A task related to code signing or certificate management uses a tool that matches an IOC, but is part of internal security operations.
Filter/Exclusion: process.name != "signtool.exe" OR process.name != "certutil.exe" OR user.name IN ("internal security team")