The hypothesis is that the detected URLs are part of a campaign using ASCII-encoded malicious payloads to evade basic URL filtering and delivery malware to endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control channels or data exfiltration attempts.
IOC Summary
Threat: ascii Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://raw.githubusercontent.com/solid-23/jame/refs/heads/main/iakkoaj.txt | online | malware_download | 2026-05-08 |
hxxps://raw.githubusercontent.com/solid-23/hg/refs/heads/main/AknSdkr.txt | online | malware_download | 2026-05-08 |
hxxp://jobhunters.ly/images/Eftertnd.asd | online | malware_download | 2026-05-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ascii
let malicious_domains = dynamic(["jobhunters.ly", "raw.githubusercontent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["jobhunters.ly", "raw.githubusercontent.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service using a known safe ASCII URL for internal validation.
Filter/Exclusion: Exclude URLs containing the substring test-shortener or internal-validation.
Scenario: A scheduled job runs a script that generates temporary ASCII URLs for API testing, such as https://api.test.example.com/v1/ascii-test-12345.
Filter/Exclusion: Exclude URLs matching the pattern api.test.example.com or containing ascii-test.
Scenario: A developer is using a tool like curl or wget to fetch a public ASCII art file from a known safe source, such as https://ascii-art.org/art/ascii-art-1.txt.
Filter/Exclusion: Exclude URLs from the domain ascii-art.org or containing the word art.
Scenario: A DevOps pipeline uses a tool like Ansible or Jenkins to download a configuration file with ASCII-based formatting from a private repository, such as https://repo.example.com/config/ascii-config-2024-04-01.txt.
Filter/Exclusion: Exclude URLs from the domain repo.example.com or containing ascii-config.
Scenario: A security analyst is using a tool like Wireshark or tcpdump to capture and analyze network traffic, which includes ASCII-based protocol messages or debug logs.
Filter/Exclusion: Exclude URLs containing the word debug or log, or from the domain internal.analysis.example.com.