The detection identifies potential adversary activity involving malicious URLs associated with the amos threat group, which could be used to deliver malware or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks before they cause significant damage.
IOC Summary
Threat: amos Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://lfwxgs.com/debug/loader.sh | offline | malware_download | 2026-05-22 |
hxxps://ceappi.com/ | offline | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: amos
let malicious_domains = dynamic(["lfwxgs.com", "ceappi.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["lfwxgs.com", "ceappi.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL shortening service used for internal documentation
Description: A system administrator uses a URL shortener (e.g., Bitly or TinyURL) to create internal links for documentation or internal tools.
Filter/Exclusion: Exclude URLs that originate from known internal URL shortening services or domains used by the organization.
Scenario: Scheduled job for automated software updates
Description: A scheduled job (e.g., using Ansible or Puppet) downloads updates from a trusted repository, which may include URLs that match the malicious pattern.
Filter/Exclusion: Exclude URLs that match the domain or path of known internal update servers or trusted third-party repositories.
Scenario: Admin task for endpoint protection tool configuration
Description: An admin manually configures a security tool (e.g., CrowdStrike or Microsoft Defender) and inputs a test URL for validation, which is mistakenly flagged.
Filter/Exclusion: Exclude URLs that are part of known admin tasks or test environments, such as those used during tool configuration or testing.
Scenario: Legitimate phishing simulation campaign
Description: The security team runs a phishing simulation using a legitimate tool (e.g., PhishSim or KnowBe4) that includes URLs mimicking malicious patterns.
Filter/Exclusion: Exclude URLs that are part of internal phishing simulations or training campaigns, identified by specific subdomains or tags.
Scenario: Cloud service integration with external API endpoints
Description: A cloud service (e.g., AWS Lambda or Azure Functions) integrates with an external API that uses URLs matching the malicious pattern for legitimate data exchange.
Filter/Exclusion: Exclude URLs that are part of known cloud service integrations or external API endpoints used by the organization.