The ThreatFox: Unknown Loader IOCs rule detects potential adversary activity involving an unknown loader, which may be used to execute malicious payloads or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown Loader Total IOCs: 4 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | crimesupport.cfd | botnet_cc | 2026-05-18 | 100% |
| domain | breathdoctor.xyz | botnet_cc | 2026-05-18 | 100% |
| domain | activityof.com | payload_delivery | 2026-05-18 | 100% |
| url | hxxps://activityof.com/datei | payload_delivery | 2026-05-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Loader
let malicious_domains = dynamic(["crimesupport.cfd", "breathdoctor.xyz", "activityof.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Loader
let malicious_urls = dynamic(["https://activityof.com/datei"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\svchost.exe or C:\Windows\Temp\*.tmp).
Filter/Exclusion: Exclude processes associated with Task Scheduler or use a filter like process.parent_process_name == "schtasks.exe".
Scenario: PowerShell Script Execution for Patching
Description: A PowerShell script used for patching or configuration management (e.g., PowerShell.exe -Command "Get-HotFix") triggers the IOC due to command-line arguments.
Filter/Exclusion: Exclude processes with process.name == "PowerShell.exe" and check for known patching or configuration management tools in the command line.
Scenario: Antivirus Quarantine Scan
Description: An antivirus tool (e.g., Kaspersky, Bitdefender) performs a scan and temporarily moves files to quarantine, which may match the IOC pattern.
Filter/Exclusion: Exclude processes with process.name == "KavService.exe" or process.name == "Bitdefender.exe" and check for known AV tool signatures.
Scenario: System File Integrity Check (SFIC)
Description: A system integrity check tool (e.g., Sysinternals Process Explorer, Windows Defender ATP) uses a script or executable that matches the IOC.
Filter/Exclusion: Exclude processes with process.name == "Process Explorer.exe" or process.name == "MsMpEng.exe" and check for known system integrity tools.
Scenario: Admin Task for Log Collection
Description: A system administrator runs a log collection script (e.g., LogParser, PowerShell logging tools) that uses a file or command matching the IOC.