The ThreatFox: GCleaner IOCs rule detects potential adversary activity associated with the GCleaner malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss or system disruption occurs.
IOC Summary
Malware Family: GCleaner Total IOCs: 5 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://91[.]92[.]241[.]242/service | botnet_cc | 2026-05-19 | 100% |
| url | hxxp://91[.]92[.]241[.]242/update | botnet_cc | 2026-05-19 | 100% |
| url | hxxp://91[.]92[.]241[.]242/info | botnet_cc | 2026-05-19 | 100% |
| url | hxxp://91[.]92[.]241[.]242/dll | botnet_cc | 2026-05-19 | 100% |
| url | hxxp://91[.]92[.]241[.]242/success | botnet_cc | 2026-05-19 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - GCleaner
let malicious_urls = dynamic(["http://91.92.241.242/service", "http://91.92.241.242/update", "http://91.92.241.242/info", "http://91.92.241.242/dll", "http://91.92.241.242/success"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled task to clean temporary files using a tool like cleanmgr.exe or diskcleanup.exe.
Filter/Exclusion: Exclude processes associated with cleanmgr.exe or diskcleanup.exe using the process.name field.
Scenario: Scheduled Job for Log Rotation
Description: A scheduled job is configured to rotate and compress log files using a tool like logrotate or a custom script.
Filter/Exclusion: Exclude processes with logrotate in the command line or process.name matching logrotate or gzip.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Malwarebytes, Kaspersky, or Bitdefender is performing a full system scan, which may trigger IOCs related to malware detection.
Filter/Exclusion: Exclude processes with malwarebytes, kaspersky, or bitdefender in the process.name or process.parent.name.
Scenario: Software Update or Patch Deployment
Description: A patch management tool like Microsoft Update, WSUS, or Ansible is deploying updates, which may involve temporary files or scripts that match IOC patterns.
Filter/Exclusion: Exclude processes with wuauclt.exe, wsus, or ansible in the process.name or command line.
Scenario: User-Initiated File Cleanup
Description: A user manually deletes temporary files or caches using a tool like CCleaner or a script.
Filter/Exclusion: Exclude processes with ccleaner.exe or command lines containing del, rm, or erase in the process.command_line field.