The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with malware distribution and credential theft. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated and persistent threat actor.
IOC Summary
Malware Family: Kimwolf Total IOCs: 8 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 206[.]189[.]2[.]243:25001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 68[.]183[.]5[.]166:25001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 159[.]65[.]201[.]249:25001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 146[.]190[.]235[.]186:25001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 64[.]225[.]73[.]59:25001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 174[.]138[.]14[.]102:25001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 167[.]99[.]209[.]164:25001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 68[.]183[.]14[.]202:25001 | botnet_cc | 2026-05-20 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["159.65.201.249", "68.183.5.166", "174.138.14.102", "146.190.235.186", "206.189.2.243", "64.225.73.59", "68.183.14.202", "167.99.209.164"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["159.65.201.249", "68.183.5.166", "174.138.14.102", "146.190.235.186", "206.189.2.243", "64.225.73.59", "68.183.14.202", "167.99.209.164"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance tasks
Filter/Exclusion: Exclude processes with crontab in the command line or check for @reboot/@daily schedule keywords in the command.
Scenario: System administrators using systemd to manage services, including systemctl start or systemctl stop commands
Filter/Exclusion: Exclude processes where the command includes systemctl and the service name is a known legitimate service (e.g., sshd, nginx, postgresql).
Scenario: Regular use of rsync for backup purposes across internal servers
Filter/Exclusion: Exclude processes where the command includes rsync and the destination is an internal IP address or a known backup server.
Scenario: Use of tar or gzip for archiving logs or configuration files
Filter/Exclusion: Exclude processes where the command includes tar or gzip and the file path is within a known log or config directory (e.g., /var/log/, /etc/).
Scenario: Execution of ansible playbooks for configuration management or patching
Filter/Exclusion: Exclude processes where the command includes ansible-playbook and the playbook path is within a known Ansible inventory directory.