The ThreatFox: SmartApeSG IOCs rule detects potential adversary activity linked to the SmartApeSG threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: SmartApeSG Total IOCs: 4 IOC Types: domain, url, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://sharpfield.top/rate/api-template.js | payload_delivery | 2026-05-08 | 100% |
| url | hxxps://sharpfield.top/rate/principal-client.php | payload_delivery | 2026-05-08 | 100% |
| domain | sharpfield.top | payload_delivery | 2026-05-08 | 100% |
| sha256_hash | 7d1526c3d109fc9da176120ecb5209c4fde8b68a208584d2253cf116fd167eb6 | payload | 2026-05-08 | 90% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - SmartApeSG
let malicious_domains = dynamic(["sharpfield.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SmartApeSG
let malicious_urls = dynamic(["https://sharpfield.top/rate/api-template.js", "https://sharpfield.top/rate/principal-client.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - SmartApeSG
let malicious_hashes = dynamic(["7d1526c3d109fc9da176120ecb5209c4fde8b68a208584d2253cf116fd167eb6"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the SmartApeSG IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.name != "CleanupScript.ps1" or process.parent.name != "TaskScheduler"
Scenario: Admin Performing Log Analysis with LogParser
Description: An admin uses Microsoft LogParser to analyze event logs, which may include queries that resemble malicious IOCs.
Filter/Exclusion: process.name != "LogParser.exe" or process.user != "Domain\Administrator"
Scenario: Automated Backup Job Using Veeam
Description: A Veeam backup job temporarily uses a script or tool that matches a SmartApeSG IOC (e.g., a temporary file or command used during backup).
Filter/Exclusion: process.name != "VeeamBackup.exe" or process.command_line not contains "backup"
Scenario: Network Monitoring Tool Using Wireshark
Description: Wireshark is used to capture and analyze network traffic, which may include IP addresses or domains that match SmartApeSG IOCs.
Filter/Exclusion: process.name != "wireshark.exe" or process.user != "NetworkAdmin"
Scenario: Patch Management Tool Using Microsoft Update
Description: A patch management tool like Microsoft Update temporarily executes scripts or uses components that match SmartApeSG IOCs during system updates.
Filter/Exclusion: process.name != "wusa.exe" or process.command_line contains "quiet"