The hypothesis is that the detection identifies potential adversary activity involving the exfiltration of data or execution of malicious code through jar files hosted on compromised URLs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware deployment and lateral movement attempts.
IOC Summary
Threat: jar Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://customer-assets.emergentagent.com/job_addon-central-glazed/artifacts/yzvvrb5k_GlazedAddon-1.21.4.jar | online | malware_download | 2026-05-18 |
hxxps://kryptongoofy.lovable.app/KryptonPlus.0.10.jar | online | malware_download | 2026-05-18 |
hxxps://argonclient.com/Argon_Client_1.21.11.jar | online | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: jar
let malicious_domains = dynamic(["kryptongoofy.lovable.app", "customer-assets.emergentagent.com", "argonclient.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["kryptongoofy.lovable.app", "customer-assets.emergentagent.com", "argonclient.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Jenkins Job Downloading Artifact
Description: A Jenkins CI/CD pipeline regularly downloads a .jar file from a trusted internal repository as part of a build process.
Filter/Exclusion: process.name != "java" OR process.args NOT LIKE '%jenkins%'
Scenario: Admin Performing System Update via Command Line
Description: A system administrator manually runs a script that downloads and executes a .jar file as part of a system update or patching task.
Filter/Exclusion: process.user != "admin" OR process.args NOT LIKE '%update%'
Scenario: Logstash Using JAR for Custom Plugin
Description: Logstash is configured to use a custom .jar plugin for processing logs, which is signed and sourced from a known internal repository.
Filter/Exclusion: process.name != "java" OR process.args NOT LIKE '%logstash%'
Scenario: User Downloading JAR for Development Tool
Description: A developer downloads a .jar file from a public repository (e.g., GitHub) to use a third-party development tool or library.
Filter/Exclusion: process.args NOT LIKE '%github.com%' OR process.user != "developer"
Scenario: Automated Backup Job Using JAR Tool
Description: An automated backup job uses a .jar file to archive data, which is part of a standard backup toolchain.
Filter/Exclusion: process.name != "java" OR process.args NOT LIKE '%backup%'