Adversaries are using Evilginx IOCs to execute phishing campaigns and exfiltrate credentials by impersonating legitimate services. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential credential theft and lateral movement attempts.
IOC Summary
Malware Family: Evilginx Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 185[.]212[.]128[.]76:9000 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 172[.]245[.]97[.]237:2030 | botnet_cc | 2026-05-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["172.245.97.237", "185.212.128.76"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.245.97.237", "185.212.128.76"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Rotation
Description: A scheduled job using logrotate is generating temporary files with names similar to known Evilginx domains.
Filter/Exclusion: Exclude files created by logrotate or check for presence of /etc/logrotate.d/ in the file path.
Scenario: Admin Task for Certificate Renewal Using Certbot
Description: An admin is using certbot to renew SSL certificates, which may temporarily host intermediate certificates with names resembling Evilginx domains.
Filter/Exclusion: Exclude files containing the string certbot or located in /etc/letsencrypt/.
Scenario: Internal Monitoring Tool Using Prometheus and Grafana
Description: A monitoring tool like Prometheus or Grafana might have dashboards hosted on internal servers with domain names that match Evilginx IOCs.
Filter/Exclusion: Exclude domains that are internal or match the internal DNS domain (e.g., *.internal.company.com).
Scenario: Development Environment with Docker Containers
Description: A developer is running a Docker container that uses a custom domain for local testing, which may match known Evilginx domains.
Filter/Exclusion: Exclude containers running in development environments (e.g., those with docker-compose or docker run in the command line).
Scenario: Systemd Service for Internal API Gateway
Description: A systemd service is configured to run an internal API gateway using a domain name that coincidentally matches an Evilginx IOC.
Filter/Exclusion: Exclude services managed by systemd and check for presence of /etc/systemd/system/ in the file path.