Adversaries are using Evilginx IOCs to execute phishing campaigns and exfiltrate credentials by impersonating legitimate services. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential credential theft and lateral movement attempts.
IOC Summary
Malware Family: Evilginx Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 81[.]17[.]101[.]139:3333 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 195[.]250[.]25[.]214:4000 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 185[.]212[.]129[.]114:9000 | botnet_cc | 2026-05-08 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["195.250.25.214", "185.212.129.114", "81.17.101.139"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["195.250.25.214", "185.212.129.114", "81.17.101.139"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Rotation
Description: A scheduled job using logrotate or rsyslog is configured to rotate and compress logs, which may include files with .tar.gz extensions commonly associated with Evilginx.
Filter/Exclusion: Exclude files with .tar.gz extensions generated by logrotate or rsyslog using the file_name field: file_name NOT LIKE '%.tar.gz'
Scenario: Admin Task for Backup Compression
Description: An administrator uses gzip or bzip2 to compress backup files, which may result in files with .gz or .bz2 extensions that could trigger the rule.
Filter/Exclusion: Exclude files with .gz or .bz2 extensions created by backup tools like rsync or tar using the process_name field: process_name NOT IN ('gzip', 'bzip2', 'tar')
Scenario: Internal Tool for Artifact Collection
Description: A security tool like OSSEC or ELK is used to collect and archive system artifacts, which may include files with names or extensions similar to Evilginx IOCs.
Filter/Exclusion: Exclude files created by known security tools using the process_name field: process_name NOT IN ('ossec', 'logstash', 'filebeat')
Scenario: Legitimate Use of Docker for Containerization
Description: A Docker container is used to run a legitimate application, and the container may generate files or directories with names that match Evilginx IOCs.
Filter/Exclusion: Exclude files or directories created within Docker containers using the container_id field: container_id IS NOT NULL
Scenario: System Update or Patching Process
*