The hypothesis is that the adversary is using the IP 176-65-139-99 to host or distribute malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: 176-65-139-99 Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.99/release/mynode.ppc_32 | online | malware_download | 2026-05-19 |
hxxp://176.65.139.99/release/mynode.armv4_32 | online | malware_download | 2026-05-19 |
hxxp://176.65.139.99/release/mynode.arm5_32 | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-99
let malicious_domains = dynamic(["176.65.139.99"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.99"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate software update from a URL tagged as 176-65-139-99.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., *.update.microsoft.com, *.download.windows10.com) or use a custom field like url.contains("update") in the detection logic.
Scenario: A Windows Task Scheduler job is configured to fetch a configuration file from a URL on the internal network (176-65-139-99) to synchronize settings across multiple servers.
Filter/Exclusion: Exclude traffic originating from or destined to internal IP ranges (e.g., src_ip.in_range(176.65.0.0/16)) or use a custom field like src_ip.contains("internal").
Scenario: A Log Management Tool (e.g., Splunk or ELK Stack) is configured to send logs to a central server at IP 176-65-139-99 for centralized monitoring and analysis.
Filter/Exclusion: Exclude outbound traffic to known internal log servers or use a custom field like dest_ip.contains("logserver") or dest_port == 514.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is configured to pull dependencies from a private repository hosted on a server with IP 176-65-139-99.
Filter/Exclusion: Exclude traffic associated with CI/CD tools by checking the user-agent or request path (e.g., /api/v4/projects/...) or use a **