URLhaus: apk Malicious URLs

Hunt Hypothesis

The hypothesis is that the detected malicious URLs are likely used by adversaries to distribute malware disguised as APK files, enabling unauthorized access and persistence on compromised devices. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control channels or data exfiltration attempts.

IOC Summary

Threat: apk Total URLs: 13 Active URLs: 13

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: apk 
let malicious_domains = dynamic(["wephoto.vercel.app", "kameraruonlaine.vercel.app", "videosdtpr.vercel.app", "2026policedtp.vercel.app", "we-max-photo.vercel.app", "vk-video-dtp.vercel.app", "photo-02-05.vercel.app", "rubbermax.xyz", "102policeonlainedtp.vercel.app", "photojopik.vercel.app", "video-files-24.cfd", "avaria102dtponlaine.vercel.app", "downloadmaxfile.digital"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["wephoto.vercel.app", "kameraruonlaine.vercel.app", "videosdtpr.vercel.app", "2026policedtp.vercel.app", "we-max-photo.vercel.app", "vk-video-dtp.vercel.app", "photo-02-05.vercel.app", "rubbermax.xyz", "102policeonlainedtp.vercel.app", "photojopik.vercel.app", "video-files-24.cfd", "avaria102dtponlaine.vercel.app", "downloadmaxfile.digital"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

References

• URLhaus

False Positive Guidance

• Scenario: Legitimate Android App Distribution via Internal Repository
  Description: A system administrator uploads a legitimate Android app (.apk) to an internal package repository for employee use.
  Filter/Exclusion: Exclude URLs that match internal package management systems (e.g., internal-repo.example.com or artifactory.example.com).

• Scenario: Scheduled Job for APK Signing and Distribution
  Description: A CI/CD pipeline runs a scheduled job to sign and distribute APKs to testers or staging environments.
  Filter/Exclusion: Exclude URLs containing job names like ci-sign-apk or staging-distribute-apk and filter by source IP from the CI/CD server.

• Scenario: Admin Task to Push APK to Mobile Devices
  Description: An admin uses a mobile device management (MDM) tool like Microsoft Intune or Jamf to push a legitimate APK to employee devices.
  Filter/Exclusion: Exclude URLs that match known MDM endpoints (e.g., intune.example.com or jamf.example.com) or filter by user roles (e.g., admin).

• Scenario: User-Submitted APK for Internal Review
  Description: An employee submits an APK file for internal review or testing, which is then uploaded to a shared drive or file server.
  Filter/Exclusion: Exclude URLs that match internal file servers (e.g., fileserver.example.com or sharepoint.example.com) and filter by user groups (e.g., internal-review).

• Scenario: Automated APK Update Distribution via Web Server
  Description: A company uses a web server to host APK updates for internal apps, which are automatically downloaded by mobile devices.
  Filter/Exclusion: Exclude URLs that match internal update servers (e.g., update.example.com)