The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Kimwolf Total IOCs: 30 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]233[.]46[.]13:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]160[.]166:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]87:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]115:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]125:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]148:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]152:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]160[.]185:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]233[.]46[.]59:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]254:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]182[.]55:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]182[.]77:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]233[.]43[.]79:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]182[.]100:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]233[.]43[.]32:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]182[.]79:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]182[.]4:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]182[.]110:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]182[.]64:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]182[.]112:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]166[.]249:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]233[.]188:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]233[.]44[.]73:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]233[.]203:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]233[.]61[.]175:25001 | botnet_cc | 2026-05-10 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["172.235.182.64", "172.233.61.175", "172.235.182.100", "172.233.46.59", "172.233.43.79", "172.239.233.162", "172.239.238.87", "172.239.238.125", "172.233.44.73", "172.233.61.189", "172.239.238.148", "172.235.182.79", "172.235.166.249", "172.235.182.112", "172.235.166.230", "172.235.182.110", "172.233.43.32", "172.239.238.115", "172.233.46.13", "172.239.238.152", "172.235.182.55", "172.235.160.185", "172.233.49.140", "172.239.233.188", "172.235.182.4", "172.233.45.171", "172.239.238.254", "172.235.160.166", "172.239.233.203", "172.235.182.77"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.235.182.64", "172.233.61.175", "172.235.182.100", "172.233.46.59", "172.233.43.79", "172.239.233.162", "172.239.238.87", "172.239.238.125", "172.233.44.73", "172.233.61.189", "172.239.238.148", "172.235.182.79", "172.235.166.249", "172.235.182.112", "172.235.166.230", "172.235.182.110", "172.233.43.32", "172.239.238.115", "172.233.46.13", "172.239.238.152", "172.235.182.55", "172.235.160.185", "172.233.49.140", "172.239.233.188", "172.235.182.4", "172.233.45.171", "172.239.238.254", "172.235.160.166", "172.239.233.203", "172.235.182.77"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running Kimwolf-related scripts for log analysis
Filter/Exclusion: process.name != "kimwolf.sh" OR process.name != "kimwolf.log"
Rationale: Scheduled jobs may execute scripts that match the IOC list, but these are part of normal log analysis workflows.
Scenario: System administrator using Kimwolf for threat intelligence lookup
Filter/Exclusion: user.name != "admin" OR user.name != "security_ops"
Rationale: Admins may use Kimwolf for legitimate threat intelligence checks, which should not be flagged as malicious.
Scenario: CI/CD pipeline executing Kimwolf for dependency scanning
Filter/Exclusion: process.parent.name != "jenkins" OR process.parent.name != "gitlab-runner"
Rationale: CI/CD tools may use Kimwolf for package dependency checks, which is a legitimate use case.
Scenario: Regular use of Kimwolf in security tools like Splunk or ELK for IOC enrichment
Filter/Exclusion: process.parent.name != "splunkd" OR process.parent.name != "elasticsearch"
Rationale: Security tools often integrate with Kimwolf to enrich event data, which is a common and legitimate practice.
Scenario: Automated security tool (e.g., CrowdStrike, Palo Alto) querying Kimwolf for IOC updates
Filter/Exclusion: process.name != "crowdstrike-sensor" OR process.name != "panos-sensor"
Rationale: Security platforms may query Kimwolf as part of their IOC update process, which should be excluded from false positives.