Adversaries may use arm-tagged malicious URLs to deliver payloads or exfiltrate data, leveraging compromised Azure resources for command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of cloud infrastructure.
IOC Summary
Threat: arm Total URLs: 10 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://94.156.152.234/bot.armv7l | online | malware_download | 2026-05-12 |
hxxp://94.156.152.234/bot.armv6l | online | malware_download | 2026-05-12 |
hxxp://94.156.152.234/bot.armv5l | online | malware_download | 2026-05-12 |
hxxp://94.156.152.234/bot.armv4l | online | malware_download | 2026-05-12 |
hxxp://45.148.120.78/JyVY | offline | malware_download | 2026-05-12 |
hxxp://45.148.120.78/CpO | offline | malware_download | 2026-05-12 |
hxxp://103.153.68.104/arm4 | online | malware_download | 2026-05-12 |
hxxp://103.153.68.104/arm5 | online | malware_download | 2026-05-12 |
hxxp://103.153.68.104/arm7 | online | malware_download | 2026-05-12 |
hxxp://176.65.139.9/FBI.arm | online | malware_download | 2026-05-12 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["176.65.139.9", "94.156.152.234", "103.153.68.104"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.9", "94.156.152.234", "103.153.68.104"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener service by generating and accessing short URLs for internal documentation.
Filter/Exclusion: Exclude URLs containing the domain internal.doc.example.com or any URL with the query parameter ?test=true.
Scenario: A scheduled job runs a nightly script to fetch and process updates from a third-party API, which includes URLs that are temporarily flagged as suspicious by URLhaus.
Filter/Exclusion: Exclude URLs that match the pattern https://api.example-thirdparty.com/v1/updates/* or any URL with the path /v1/updates.
Scenario: An IT security team is performing a red team exercise and uses a legitimate tool like Metasploit to simulate a phishing attack, including the use of a malicious-looking URL for testing.
Filter/Exclusion: Exclude URLs that contain the substring redteam.test or are associated with the IP range 192.168.1.0/24.
Scenario: A DevOps engineer is deploying a new application using a CI/CD pipeline, and the deployment script includes a URL to a public artifact repository that is temporarily flagged by URLhaus.
Filter/Exclusion: Exclude URLs that match the domain artifactory.examplecorp.com or any URL with the path /releases/*.
Scenario: A user is accessing a legitimate URL from a trusted enterprise portal that is mistakenly tagged as “arm” in URLhaus due to a false positive in the database.
Filter/Exclusion: Exclude URLs that contain the domain portal.examplecorp.com or are part of the internal enterprise network (10.0.0.0/8).