The hypothesis is that the detected URLs are malicious payloads dropped by the Phorpiex malware, indicating potential command and control communication or data exfiltration. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate Phorpiex-based attacks before they cause significant damage.
IOC Summary
Threat: dropped-by-Phorpiex Total URLs: 12 Active URLs: 12
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://130.12.180.190/11/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/12/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/6/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/2/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/3/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/9/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/7/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/5/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/10/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/8/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/4/a | online | malware_download | 2026-05-19 |
hxxp://130.12.180.190/1/a | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: dropped-by-Phorpiex
let malicious_domains = dynamic(["130.12.180.190"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["130.12.180.190"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Phorpiex sandboxed environment to analyze malware behavior.
Filter/Exclusion: Exclude URLs that match known sandboxing environments or internal testing domains (e.g., sandbox.example.com, phorpiex-test.internal).
Scenario: A scheduled job runs a script that downloads Phorpiex-related payloads for automated threat intelligence enrichment.
Filter/Exclusion: Exclude URLs that match internal threat intelligence feeds or known benign Phorpiex analysis tools (e.g., phorpiex-intel.example.com).
Scenario: A security tool like OSSEC or CrowdStrike is configured to download Phorpiex indicators from a trusted source for real-time monitoring.
Filter/Exclusion: Exclude URLs that originate from trusted internal or external threat intelligence platforms (e.g., threatintel.example.com, urlhaus.org).
Scenario: An admin uses PowerShell or Python scripts to automate the collection of Phorpiex-related URLs for forensic analysis.
Filter/Exclusion: Exclude URLs that match internal script execution hosts or known benign automation endpoints (e.g., scripts.internal, analysis-tools.example.com).
Scenario: A SIEM system is configured to ingest Phorpiex-related URLs from a log source for correlation with other indicators.
Filter/Exclusion: Exclude URLs that are part of internal log aggregation systems or known benign log sources (e.g., logs.example.com, siem-ingest.example.com).