The hypothesis is that adversaries are using known malicious URLs from URLhaus to download malware into compromised environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections before they spread within the network.
IOC Summary
Threat: malware_download Total URLs: 25 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.58.134.218:34301/i | online | malware_download | 2026-05-22 |
hxxp://42.178.153.201:50287/i | online | malware_download | 2026-05-22 |
hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t8 | offline | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v12 | online | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v5 | online | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v9 | online | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v8 | online | malware_download | 2026-05-22 |
hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10 | online | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v7 | online | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10 | online | malware_download | 2026-05-22 |
hxxps://candipoker.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10 | online | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v11 | online | malware_download | 2026-05-22 |
hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t11 | offline | malware_download | 2026-05-22 |
hxxps://candipoker.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10 | offline | malware_download | 2026-05-22 |
hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10 | offline | malware_download | 2026-05-22 |
hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t5 | offline | malware_download | 2026-05-22 |
hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t7 | offline | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t12 | offline | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t5 | offline | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t8 | offline | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t7 | offline | malware_download | 2026-05-22 |
hxxps://namlongland.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t11 | offline | malware_download | 2026-05-22 |
hxxps://sam-sa.net/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t12 | offline | malware_download | 2026-05-22 |
hxxps://linkedco.net/infos.php?fronts=1 | offline | malware_download | 2026-05-22 |
hxxps://microsmeet.xyz/api/mn/6676097740/update | offline | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["sam-sa.net", "115.58.134.218", "namlongland.net", "candipoker.net", "42.178.153.201"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["sam-sa.net", "115.58.134.218", "namlongland.net", "candipoker.net", "42.178.153.201"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update via Microsoft Windows Update
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com
Rationale: Legitimate system updates often use these domains and may trigger the rule due to their inclusion in URLhaus lists.
Scenario: Internal backup job using a known secure URL
Filter/Exclusion: Exclude URLs containing backup.<company-domain>.com or internal-backup-svc.<company-domain>.com
Rationale: Backup processes may use internal URLs that are flagged as malicious in some threat intelligence feeds.
Scenario: Admin task using PowerShell for log collection
Filter/Exclusion: Exclude URLs containing log-collector.<company-domain>.com or powershell.<company-domain>.com
Rationale: Admins may use internal tools for log collection that are mistakenly flagged as malicious URLs.
Scenario: User accessing a legitimate third-party service for software licensing
Filter/Exclusion: Exclude URLs containing license.<vendor-name>.com or software-license.<vendor-name>.com
Rationale: Legitimate software vendors may have URLs that are misclassified as malicious in URLhaus.
Scenario: Internal CI/CD pipeline using a secure artifact repository
Filter/Exclusion: Exclude URLs containing artifactory.<company-domain>.com or nexus.<company-domain>.com
Rationale: Artifact repositories used in CI/CD pipelines are often flagged due to their similarity to malicious domains.