Adversaries may use ARM-based malicious URLs to deliver payloads or exfiltrate data, leveraging Azure’s infrastructure for covert command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of cloud resources.
IOC Summary
Threat: arm Total URLs: 18 Active URLs: 18
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://156.238.242.196/linux_arm6 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_arm7 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_arm5 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_aarch64 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.arm5 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.arm4 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/ARMV4L | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.arm7 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/ARMV6L | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.apk | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/ARMV7L | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.arm6 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/ARMV5L | online | malware_download | 2026-05-11 |
hxxp://130.78.217.194:8888/bot.armv5 | online | malware_download | 2026-05-11 |
hxxp://130.78.217.194:8888/bot.android-armv7 | online | malware_download | 2026-05-11 |
hxxp://130.78.217.194:8888/bot.aarch64 | online | malware_download | 2026-05-11 |
hxxp://130.78.217.194:8888/bot.armv7 | online | malware_download | 2026-05-11 |
hxxp://130.78.217.194:8888/bot.android-aarch64 | online | malware_download | 2026-05-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["156.238.242.196", "130.78.217.194"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["156.238.242.196", "130.78.217.194"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via Microsoft Update
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com
Rationale: Microsoft’s update servers are known to host legitimate URLs that may be flagged by URLhaus due to their similarity to malicious domains.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude URLs containing veeam.com or backup.veeam.com
Rationale: Veeam’s backup tools may generate URLs during job execution that could be misclassified as malicious by the detection rule.
Scenario: Admin task using PowerShell for log analysis
Filter/Exclusion: Exclude URLs containing powershellgallery.com or nuget.org
Rationale: PowerShell scripts and modules from trusted repositories may be accessed during administrative tasks and could trigger the rule due to URL patterns.
Scenario: Internal tool deployment via Jenkins CI/CD pipeline
Filter/Exclusion: Exclude URLs containing jenkins-ci.org or ci.example.com
Rationale: Jenkins and other CI/CD platforms often use URLs that may resemble malicious domains, especially when deploying internal tools.
Scenario: User accessing internal documentation via Confluence
Filter/Exclusion: Exclude URLs containing confluence.example.com or atlassian.com
Rationale: Confluence and other internal documentation platforms may generate URLs that are flagged due to their structure, even though they are fully legitimate.