The ThreatFox: CountLoader IOCs rule detects potential adversary activity associated with the CountLoader malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.
IOC Summary
Malware Family: CountLoader Total IOCs: 8 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | diospfj.cyou | botnet_cc | 2026-05-21 | 100% |
| domain | maloneyr.cyou | botnet_cc | 2026-05-21 | 100% |
| domain | balvlqts.cyou | botnet_cc | 2026-05-21 | 100% |
| domain | milnleny.cyou | botnet_cc | 2026-05-21 | 100% |
| domain | markzsa.cyou | botnet_cc | 2026-05-21 | 100% |
| domain | brownhc.cyou | botnet_cc | 2026-05-21 | 100% |
| domain | pantofr.cyou | botnet_cc | 2026-05-21 | 100% |
| domain | shenyac.cyou | botnet_cc | 2026-05-21 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - CountLoader
let malicious_domains = dynamic(["diospfj.cyou", "maloneyr.cyou", "balvlqts.cyou", "milnleny.cyou", "markzsa.cyou", "brownhc.cyou", "pantofr.cyou", "shenyac.cyou"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a script that matches one of the CountLoader IOCs (e.g., a PowerShell script named backup.ps1).
Filter/Exclusion: Check for process.name containing “backup” or “systembackup” and process.parent.name being a known backup service (e.g., VSS or wbadmin).
Scenario: Admin Task - PowerShell Script Execution
Description: An administrator runs a PowerShell script (e.g., update_config.ps1) that contains a file path matching a CountLoader IOC.
Filter/Exclusion: Filter by user.name being a known admin account (e.g., Administrator) and check for process.command_line containing “update” or “config”.
Scenario: Log Management Tool Configuration
Description: A log management tool (e.g., Splunk or ELK) is configured to use a script or file that matches a CountLoader IOC (e.g., logrotate.sh).
Filter/Exclusion: Check for process.name containing “splunk” or “logrotate” and ensure the file path is within the tool’s configured directory (e.g., /opt/splunk/etc/).
Scenario: Software Update Job
Description: A software update job (e.g., using Windows Update or Chocolatey) downloads a file that matches a CountLoader IOC.
Filter/Exclusion: Filter by process.name containing “wuauclt” or “choco” and check for process.parent.name being a known update service (e.g., svchost or taskeng).
Scenario: Custom Monitoring Script
Description: A custom monitoring script (e.g., monitor_network.sh) is used