Adversaries may use arm-related malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or trusted domains to evade detection. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify potential command and control channels or initial compromise vectors.
IOC Summary
Threat: arm Total URLs: 5 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.188/2s3dkw7s/wyszztw.arm5 | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/iwhcwck.arm7 | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/uagkrww.aarch64 | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/atbtjft.arm | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/iztsowy.arm6 | online | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["176.65.139.188"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.188"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known benign URL from the URLhaus list for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus.org domain or any URLs associated with known testing environments.
Scenario: A scheduled job runs a script to download and verify updates from a trusted internal repository, which happens to include a URL tagged as “arm” in its metadata.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or are part of known update mechanisms (e.g., internal-repo.example.com).
Scenario: A security analyst is using the PowerShell script Get-ChildItem to recursively scan a directory and inadvertently includes a file with a URL in its metadata that is flagged as “arm”.
Filter/Exclusion: Exclude files that are not executable or are part of standard system tools (e.g., *.ps1, *.txt, or files with known benign file types).
Scenario: A DevOps team is deploying a new application using a CI/CD pipeline, and the deployment script includes a URL from a trusted artifact repository that is mistakenly tagged as “arm”.
Filter/Exclusion: Exclude URLs that match known CI/CD artifact hosts (e.g., artifactory.example.com, npmjs.com, or maven.org).
Scenario: A user is accessing a legitimate phishing training portal that uses a URL from the URLhaus dataset for educational purposes.
Filter/Exclusion: Exclude URLs that are part of a known phishing training platform (e.g., phishing-training.example.com or URLs containing training in the path).