The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 19 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://165.227.155.54/hiddenbin/Space.x86_64 | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.arm5 | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.mpsl | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.i686 | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.arm | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.ppc | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.m68k | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.sh4 | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.x86 | offline | malware_download | 2026-05-22 |
hxxp://176.65.139.182/bins/phantom.i686 | online | malware_download | 2026-05-22 |
hxxp://176.65.139.182/bins/phantom.arm4 | online | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.mips64 | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.arm6 | offline | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.sparc | offline | malware_download | 2026-05-22 |
hxxp://176.65.139.182/bins/phantom.arm7 | online | malware_download | 2026-05-22 |
hxxp://176.65.139.182/bins/phantom.x86 | online | malware_download | 2026-05-22 |
hxxp://176.65.139.182/bins/phantom.arm5 | online | malware_download | 2026-05-22 |
hxxp://176.65.139.182/bins/phantom.arm6 | online | malware_download | 2026-05-22 |
hxxp://165.227.155.54/hiddenbin/Space.mips | offline | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["176.65.139.182"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.182"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint detection and response (EDR) tool by uploading a file containing a known malicious URL for validation purposes.
Filter/Exclusion: Exclude URLs that match known internal testing environments or files associated with EDR tool testing.
Scenario: A scheduled job runs to update a web proxy configuration using a script that includes a list of URLs for whitelisting, one of which is tagged as elf in the URLhaus database.
Filter/Exclusion: Exclude URLs that match internal whitelisted domains or are part of configuration update scripts.
Scenario: A developer is using a CI/CD pipeline to deploy code, and the pipeline includes a step that fetches dependencies from a public repository, one of which is flagged as elf due to a false positive in URLhaus.
Filter/Exclusion: Exclude URLs that match known CI/CD dependency sources like npm, Maven Central, or PyPI.
Scenario: A security team member is performing a manual investigation and uses a tool like curl or wget to access a URL for analysis, which happens to be tagged as elf in the URLhaus database.
Filter/Exclusion: Exclude URLs accessed by known security tools or user agents associated with manual investigation activities.
Scenario: A system runs a scheduled backup job that temporarily stores files in a cloud storage bucket, and one of the URLs used for storage is mistakenly tagged as elf in URLhaus.
Filter/Exclusion: Exclude URLs that match cloud storage endpoints (e.g., AWS S3, Azure Blob Storage) or are part of backup-related operations.