The hunt hypothesis detects adversaries using malicious URLs hosted on URLhaus to deliver malicious JAR files, which can execute arbitrary code and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control channels and lateral movement tactics.
IOC Summary
Threat: jar Total URLs: 4 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://donutsmpcheat.com/downloads/float-client.jar | offline | malware_download | 2026-05-10 |
hxxps://donutsmpcheat.com/downloads/kryptonite-cracked.jar | online | malware_download | 2026-05-10 |
hxxps://donutsmpcheat.com/downloads/xenon-cracked.jar | online | malware_download | 2026-05-10 |
hxxps://donutsmpcheat.com/downloads/solar-client.jar | online | malware_download | 2026-05-10 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: jar
let malicious_domains = dynamic(["donutsmpcheat.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["donutsmpcheat.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a legitimate Java Archive (JAR) file from a known repository (e.g., Maven Central) as part of a dependency update.
Filter/Exclusion: Exclude URLs that match known safe repositories like https://repo1.maven.org/maven2/ or https://maven.apache.org/content/repositories/.
Scenario: A scheduled job runs a script that fetches a JAR file from an internal artifact repository for deployment purposes.
Filter/Exclusion: Exclude URLs that originate from internal repositories (e.g., https://artifactory.internal.company.com/ or https://nexus.internal.company.com/).
Scenario: A developer is using a tool like mvn (Maven) or gradle to download dependencies, which may include JAR files from trusted sources.
Filter/Exclusion: Exclude URLs that match known dependency managers’ artifact patterns (e.g., https://mvnrepository.com/artifact/ or https://repo.gradle.org/artifact/).
Scenario: A security tool like ClamAV or Sophos is performing a scan and temporarily downloads a JAR file as part of its signature update process.
Filter/Exclusion: Exclude URLs that match known security tool update servers (e.g., https://database.clamav.net/ or https://download.sophos.com/).
Scenario: A DevOps pipeline is using a CI/CD tool like Jenkins or GitLab CI to fetch JAR files from a private registry for automated testing.
Filter/Exclusion: Exclude URLs that match internal CI/CD artifact URLs (e.g., https://ci-artifacts.company.com/ or https://gitlab-ci-artifacts.company.com/).