The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that could signal the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 21 IOC Types: url, domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://bulletpop.cyou/ | payload_delivery | 2026-05-18 | 90% |
| ip:port | 167[.]88[.]167[.]9:8356 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 167[.]88[.]167[.]9:8000 | botnet_cc | 2026-05-18 | 75% |
| url | hxxps://topnews.eu.cc/ | payload_delivery | 2026-05-18 | 90% |
| ip:port | 165[.]154[.]236[.]119:8888 | botnet_cc | 2026-05-18 | 100% |
| domain | voltrix.pw | botnet_cc | 2026-05-18 | 100% |
| domain | bytearmor.net | botnet_cc | 2026-05-18 | 100% |
| url | hxxps://linxiabeautyworks.com/ | payload_delivery | 2026-05-18 | 90% |
| url | hxxps://www.womenincancer.com/ | payload_delivery | 2026-05-18 | 90% |
| url | hxxps://worldrank.net/ | payload_delivery | 2026-05-18 | 90% |
| url | hxxps://www.euroequipment.co.th/ | payload_delivery | 2026-05-18 | 90% |
| url | hxxps://www.beltboutique.co.uk/ | payload_delivery | 2026-05-18 | 90% |
| url | hxxps://www.angelphonerepair.com/ | payload_delivery | 2026-05-18 | 90% |
| domain | interium.wtf | botnet_cc | 2026-05-18 | 100% |
| domain | dl.interium.wtf | payload_delivery | 2026-05-18 | 100% |
| domain | crackedsoftware.doxbin.cy | payload_delivery | 2026-05-18 | 100% |
| domain | marinaradom.cfd | payload_delivery | 2026-05-18 | 100% |
| domain | spartanec.lat | payload_delivery | 2026-05-18 | 100% |
| domain | bulletpop.cyou | payload_delivery | 2026-05-18 | 100% |
| domain | ssns-cdn-ns.beer | payload_delivery | 2026-05-18 | 100% |
| domain | mistraljs.beer | payload_delivery | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["165.154.236.119", "167.88.167.9"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["165.154.236.119", "167.88.167.9"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["voltrix.pw", "bytearmor.net", "interium.wtf", "dl.interium.wtf", "crackedsoftware.doxbin.cy", "marinaradom.cfd", "spartanec.lat", "bulletpop.cyou", "ssns-cdn-ns.beer", "mistraljs.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://bulletpop.cyou/", "https://topnews.eu.cc/", "https://linxiabeautyworks.com/", "https://www.womenincancer.com/", "https://worldrank.net/", "https://www.euroequipment.co.th/", "https://www.beltboutique.co.uk/", "https://www.angelphonerepair.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Regular system maintenance task using schtasks.exe to run a legitimate cleanup script
Filter/Exclusion: Exclude process executions where schtasks.exe is used to run scripts located in the system’s scheduled tasks directory (e.g., C:\Windows\Tasks\) or known maintenance scripts.
Scenario: Deployment of a new application using msiexec.exe with a legitimate installer package
Filter/Exclusion: Exclude process executions where msiexec.exe is used to install packages from a trusted internal repository or known enterprise software distribution path (e.g., \\fileserver\software\).
Scenario: Security tool update using powershell.exe to download and install a legitimate update
Filter/Exclusion: Exclude PowerShell scripts executed from a known internal security tool update location (e.g., C:\Program Files\Endpoint Protection\) or signed by a trusted certificate.
Scenario: Log collection using logparser.exe to gather system event logs for analysis
Filter/Exclusion: Exclude process executions where logparser.exe is used with a known internal log query and output destination (e.g., C:\Logs\ or \\logserver\logs\).
Scenario: Backup job execution using vssadmin.exe or wbadmin.exe to perform a scheduled backup
Filter/Exclusion: Exclude process executions where vssadmin.exe or wbadmin.exe is used with known backup paths or during scheduled backup windows (e.g., C:\Backup\ or \\backupserver\).