Adversaries may use arm-tagged malicious URLs to deliver payloads or exfiltrate data, leveraging compromised Azure resources for command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of cloud infrastructure.
IOC Summary
Threat: arm Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://69sexy.duckdns.org:6969/heilong.arm4 | online | malware_download | 2026-05-18 |
hxxp://69sexy.duckdns.org:6969/heilong.arm5 | online | malware_download | 2026-05-18 |
hxxp://69sexy.duckdns.org:6969/heilong.arm6 | online | malware_download | 2026-05-18 |
hxxp://69sexy.duckdns.org:6969/heilong.arm7 | online | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["69sexy.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["69sexy.duckdns.org"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by accessing a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus domain or any known safe testing URLs used in security validation processes.
Scenario: A scheduled job runs a script to fetch and process threat intelligence feeds, including URLs from URLhaus, as part of an automated security update process.
Filter/Exclusion: Exclude URLs that are part of a known threat intelligence feed ingestion process, such as those accessed by threatintel-update.sh or similar scripts.
Scenario: A user is accessing a legitimate URL from URLhaus that is part of a software update or patch distribution system, such as a Microsoft Windows Update mirror.
Filter/Exclusion: Exclude URLs that match known software update domains (e.g., windowsupdate.microsoft.com, update.microsoft.com) or URLs associated with enterprise patch management systems.
Scenario: A DevOps team is deploying a new application and is using a URL from URLhaus as part of a CI/CD pipeline to download a dependency or artifact.
Filter/Exclusion: Exclude URLs that are part of a CI/CD pipeline (e.g., *.github.io, *.gitlab.com, or URLs accessed by jenkins or gitlab-ci jobs).
Scenario: An IT helpdesk technician is accessing a URL from URLhaus to verify the legitimacy of a reported malicious link during a user support interaction.
Filter/Exclusion: Exclude URLs accessed from known helpdesk or support tools (e.g., *.service-now.com, *.zendesk.com) or those associated with internal security verification processes.