The ThreatFox: Unknown Loader IOCs rule detects potential adversary activity involving unknown loaders, which are often used to execute malicious payloads and evade traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that leverage unknown loaders to compromise endpoints and exfiltrate data.
IOC Summary
Malware Family: Unknown Loader Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | coalwork.info | botnet_cc | 2026-05-21 | 100% |
| domain | startmonkey.cfd | botnet_cc | 2026-05-21 | 50% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Loader
let malicious_domains = dynamic(["coalwork.info", "startmonkey.cfd"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that downloads a file from a known internal repository, which coincidentally matches an IOC from the ThreatFox list.
Filter/Exclusion: Exclude files downloaded from internal IP ranges (e.g., src_ip in (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16))
Scenario: Windows Update or Patching Process
Description: A Windows Update or patching job temporarily downloads a file that matches an IOC associated with the Unknown Loader.
Filter/Exclusion: Exclude files downloaded from Microsoft update servers (e.g., dst_ip in (52.166.17.12, 52.166.17.13, 52.166.17.14))
Scenario: Internal Software Deployment via SCCM
Description: A Software Center or SCCM deployment package includes a file that matches an IOC from the ThreatFox list, but is part of a legitimate internal tool.
Filter/Exclusion: Exclude files with a known internal hash or signed by a trusted internal certificate (e.g., file_hash in (SHA256:abc123...))
Scenario: Admin Script for Log Collection
Description: An admin script runs a PowerShell script that connects to a SIEM system and uploads logs, which matches an IOC from the ThreatFox list.
Filter/Exclusion: Exclude connections to known SIEM servers (e.g., dst_ip in (10.10.10.10, 10.10.10.11))
**Scenario: Third