The detection identifies potential DDoSAgent malware distribution via three malicious URLs linked to URLhaus, indicating an adversary may be deploying command-and-control infrastructure. SOC teams should proactively hunt for this behavior to disrupt early-stage malware deployment and prevent large-scale network attacks in their Azure Sentinel environment.
IOC Summary
Threat: DDoSAgent Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.182/bins/phantom.mpsl | online | malware_download | 2026-05-22 |
hxxp://176.65.139.182/bins/phantom.ppc | online | malware_download | 2026-05-22 |
hxxp://176.65.139.182/bins/phantom.mips | online | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: DDoSAgent
let malicious_domains = dynamic(["176.65.139.182"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.182"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update script that downloads a URLhaus-listed URL as part of a patching process.
Filter/Exclusion: Exclude URLs associated with known patching tools (e.g., sudo apt update, yum update, Chocolatey, WSUS).
Scenario: Admin Task for Log Collection
Description: An admin task uses a script to collect logs from remote servers, which includes a URLhaus-listed URL for log aggregation.
Filter/Exclusion: Exclude URLs containing known log collection tools (e.g., Fluentd, Logstash, Splunk, ELK Stack).
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a build artifact from a URLhaus-listed URL during a deployment.
Filter/Exclusion: Exclude URLs that match known CI/CD artifact repositories (e.g., Jenkins, GitHub Actions, Artifactory, Nexus).
Scenario: Internal Monitoring Tool Configuration
Description: An internal monitoring tool (e.g., Prometheus, Grafana) uses a URLhaus-listed URL to fetch configuration or metrics data.
Filter/Exclusion: Exclude URLs that match internal monitoring tool domains or use known internal IP ranges.
Scenario: Malware Analysis Lab Environment
Description: A malware analysis lab uses a URLhaus-listed URL to test or analyze a DDoS agent in a sandboxed environment.
Filter/Exclusion: Exclude URLs that originate from internal analysis environments (e.g., sandboxed, lab, analysis, test domains).