Adversaries may be using known malicious URLs from URLhaus to download malware into compromised environments. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 31 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://nmturc.cyou/Senior4/img_101400.png | offline | malware_download | 2026-05-08 |
hxxps://andjemztech.com/pp/img_035646.png | online | malware_download | 2026-05-08 |
hxxp://tradedsglobal.com/yufornewpanel.png | offline | malware_download | 2026-05-08 |
hxxp://tradedsglobal.com/obomay.png | online | malware_download | 2026-05-08 |
hxxp://tradedsglobal.com/rumpfornew.png | online | malware_download | 2026-05-08 |
hxxp://valfanto.com/imgoilandgasss.png | online | malware_download | 2026-05-08 |
hxxps://raw.githubusercontent.com/airkanpang/bientianlp/main/dsgrlnihdsfrg.txt | offline | malware_download | 2026-05-08 |
hxxps://raw.githubusercontent.com/airkanpang/bientianlp/main/mkgyhhuihfyjyufkuik.pdf | offline | malware_download | 2026-05-08 |
hxxps://xxxzxxxzxxx.cc/flomo.zip | online | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/7b5d5a8a45b32867_264.php | offline | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/64a7ffd2030af46a_264.php | online | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/5a286063ecc09f8f_264.php | online | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/4fe4008aa7fff8c6_264.php | offline | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/1bbd7cd5392f2cd4_264.php | online | malware_download | 2026-05-08 |
hxxps://nmturc.cyou/match/img_130250.png | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/9/n.txt | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/5/n.txt | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/6/n.txt | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/4/n.txt | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/10/4656.txt | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/10/n.txt | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/8/7782.txt | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/7/n.txt | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/3/n.txt | offline | malware_download | 2026-05-08 |
hxxp://130.12.180.190/9/18241.txt | offline | malware_download | 2026-05-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["tradedsglobal.com", "xxxzxxxzxxx.cc", "62.60.226.159", "andjemztech.com", "valfanto.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["tradedsglobal.com", "xxxzxxxzxxx.cc", "62.60.226.159", "andjemztech.com", "valfanto.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known penetration testing tools or domains (e.g., metasploit.org, exploit-db.com, vulnweb.com).
Scenario: A scheduled job is fetching updates from a legitimate third-party repository that hosts malware analysis tools (e.g., VirusTotal, AlienVault OTX).
Filter/Exclusion: Exclude URLs containing known benign domains used by threat intelligence platforms (e.g., virustotal.com, otx.alienvault.com).
Scenario: An internal tool or script is used to download malware samples for analysis in a sandboxed environment (e.g., Cuckoo Sandbox, Joe Sandbox).
Filter/Exclusion: Exclude URLs that match internal sandboxing infrastructure or analysis platforms (e.g., cuckoo.sh, joesandbox.com).
Scenario: A user is accessing a phishing simulation URL hosted by a security awareness training platform (e.g., KnowBe4, PhishMe).
Filter/Exclusion: Exclude URLs that match known phishing simulation domains (e.g., knowbe4.com, phishme.com, phishsimulator.net).
Scenario: A legitimate software update is being downloaded from a trusted source, but the URL is flagged due to a similarity with a known malicious domain.
Filter/Exclusion: Exclude URLs that match known software update servers (e.g., updates.microsoft.com, download.docker.com, nginx.org).