The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 22 IOC Types: url, domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ponikas.cyou | payload_delivery | 2026-05-12 | 100% |
| domain | bcncdncl-ns.beer | payload_delivery | 2026-05-12 | 100% |
| url | hxxps://light-copying5ingle.digital/script.sh | payload_delivery | 2026-05-11 | 100% |
| domain | light-copying5ingle.digital | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://baroquecam-up.digital/script.sh | payload_delivery | 2026-05-11 | 100% |
| domain | baroquecam-up.digital | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://vexon1al.digital/script.sh | payload_delivery | 2026-05-11 | 100% |
| domain | vexon1al.digital | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://tale-neurosurgery.digital/script.sh | payload_delivery | 2026-05-11 | 100% |
| domain | tale-neurosurgery.digital | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://greyhounds1uidor.digital/script.sh | payload_delivery | 2026-05-11 | 100% |
| domain | greyhounds1uidor.digital | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://bel1tower.digital/script.sh | payload_delivery | 2026-05-11 | 100% |
| domain | bel1tower.digital | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://dixel-pixxxl232.digital/ext[.]0db0461f0031.js | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://dixel-pixxxl232.digital/ext-b[.]998e3b1c1a4e.js | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://dixel-pixxxl232.digital/t[.]188cfd3975db.js | payload_delivery | 2026-05-11 | 100% |
| url | hxxps://dixel-pixxxl232.digital/t.js | payload_delivery | 2026-05-11 | 100% |
| domain | dixel-pixxxl232.digital | payload_delivery | 2026-05-11 | 100% |
| domain | viscdnclaud.beer | payload_delivery | 2026-05-11 | 100% |
| domain | nfsclaudecdn.beer | payload_delivery | 2026-05-11 | 100% |
| ip:port | 103[.]247[.]11[.]53:7443 | botnet_cc | 2026-05-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["103.247.11.53"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.247.11.53"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["ponikas.cyou", "bcncdncl-ns.beer", "light-copying5ingle.digital", "baroquecam-up.digital", "vexon1al.digital", "tale-neurosurgery.digital", "greyhounds1uidor.digital", "bel1tower.digital", "dixel-pixxxl232.digital", "viscdnclaud.beer", "nfsclaudecdn.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://light-copying5ingle.digital/script.sh", "https://baroquecam-up.digital/script.sh", "https://vexon1al.digital/script.sh", "https://tale-neurosurgery.digital/script.sh", "https://greyhounds1uidor.digital/script.sh", "https://bel1tower.digital/script.sh", "https://dixel-pixxxl232.digital/ext.0db0461f0031.js", "https://dixel-pixxxl232.digital/ext-b.998e3b1c1a4e.js", "https://dixel-pixxxl232.digital/t.188cfd3975db.js", "https://dixel-pixxxl232.digital/t.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses a file or network resource flagged by the rule (e.g., C:\Windows\System32\wbem\wmic.exe).
Filter/Exclusion: Exclude processes associated with Task Scheduler or filter by ProcessName like schtasks.exe or taskhost.exe.
Scenario: Log Management Tool Data Export
Description: A log management tool (e.g., Splunk, ELK Stack) exports logs to a network location, triggering an IOC match due to the destination IP or file name.
Filter/Exclusion: Exclude traffic from known log management tools by checking the ProcessName or User field for splunkd.exe, logstash.exe, or kibana.exe.
Scenario: Software Update Job
Description: A system update job (e.g., Windows Update, Chocolatey) downloads a package from a known repository, which coincidentally matches an IOC in the rule.
Filter/Exclusion: Exclude processes related to update tools like wusa.exe, choco.exe, or filter by DestinationIP matching known update servers.
Scenario: Administrative PowerShell Script
Description: An admin runs a PowerShell script (e.g., powershell.exe -Command "Get-EventLog") that interacts with a system component flagged by the rule.
Filter/Exclusion: Exclude PowerShell processes with ProcessName like powershell.exe and check for CommandLine containing Get-EventLog, Get-WinEvent, or similar administrative commands.
Scenario: Database Backup Job
Description: A database backup job (e.g., SQL Server Backup, MySQL Dump) writes to