Adversaries may use arm-related malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or legitimate Azure resources. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: arm Total URLs: 8 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://103.77.246.173:8888/nerv.arm6 | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.arm7 | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.arm5 | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.arm4 | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.armv6l | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.armv4l | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.armv7l | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.armv5l | online | malware_download | 2026-05-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["103.77.246.173", "176.65.139.11"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["103.77.246.173", "176.65.139.11"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener service by entering a legitimate URL into a test script.
Filter/Exclusion: Exclude URLs containing the domain test.shorturlservice.com or any URL that includes the string test-url.
Scenario: A scheduled job runs a daily script to fetch updates from a public repository, including a URL from URLhaus that is mistakenly flagged as malicious.
Filter/Exclusion: Exclude URLs that match the pattern https://urlhaus.org/ or any URL that starts with https://urlhaus.org/.
Scenario: A developer is using a CI/CD pipeline to deploy code and includes a legitimate URL to a documentation site for reference.
Filter/Exclusion: Exclude URLs containing the domain docs.examplecorp.com or any URL that includes the string ci-cd-deploy.
Scenario: An IT team is performing a system cleanup and uses a tool like PowerShell to delete old logs, which includes a URL to a log storage service.
Filter/Exclusion: Exclude URLs that contain the domain logs.examplecorp.net or any URL that includes the string log-removal.
Scenario: A security analyst is using a tool like Wireshark to analyze network traffic and manually enters a URL for testing purposes.
Filter/Exclusion: Exclude URLs that contain the string test-traffic or any URL that includes the domain test.networkanalysis.local.