Adversaries may be using known malicious URLs to download malware into the network, bypassing traditional detection mechanisms. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and contain potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 37 Active URLs: 15
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://36.71.28.44:42141/bin.sh | online | malware_download | 2026-05-18 |
hxxp://61.52.157.121:46874/i | online | malware_download | 2026-05-18 |
hxxp://123.190.21.95:45619/i | online | malware_download | 2026-05-18 |
hxxp://123.190.21.95:45619/bin.sh | online | malware_download | 2026-05-18 |
hxxp://27.37.122.3:36056/i | online | malware_download | 2026-05-18 |
hxxp://64.7.199.151:8081/x86_64 | online | malware_download | 2026-05-18 |
hxxp://119.157.76.79:37340/Mozi.7 | offline | malware_download | 2026-05-18 |
hxxp://42.239.189.168:49160/ | offline | malware_download | 2026-05-18 |
hxxp://64.7.199.151:8081/powerpc | online | malware_download | 2026-05-18 |
hxxp://64.7.199.151:8081/mipsel | online | malware_download | 2026-05-18 |
hxxp://botnet.fizra.biz.id/i686 | offline | malware_download | 2026-05-18 |
hxxp://64.7.199.151:8081/server | online | malware_download | 2026-05-18 |
hxxp://64.7.199.151:8081/m68k | online | malware_download | 2026-05-18 |
hxxp://64.7.199.151:8081/mips | online | malware_download | 2026-05-18 |
hxxp://64.7.199.151:8081/i686 | online | malware_download | 2026-05-18 |
hxxp://64.7.199.151:8081/armv5l | online | malware_download | 2026-05-18 |
hxxp://botnet.fizra.biz.id/run.sh | online | malware_download | 2026-05-18 |
hxxp://hardenedpeanits.fyi/x86_64 | offline | malware_download | 2026-05-18 |
hxxp://hardenedpeanits.fyi/arm7 | offline | malware_download | 2026-05-18 |
hxxp://hardenedpeanits.fyi/sh4 | offline | malware_download | 2026-05-18 |
hxxp://botnet.fizra.biz.id/ppc64 | offline | malware_download | 2026-05-18 |
hxxp://hardenedpeanits.fyi/x86 | offline | malware_download | 2026-05-18 |
hxxp://botnet.fizra.biz.id/armv7l | offline | malware_download | 2026-05-18 |
hxxp://64.7.199.151:8081/armv4l | online | malware_download | 2026-05-18 |
hxxp://botnet.fizra.biz.id/armv5l | offline | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["botnet.fizra.biz.id", "27.37.122.3", "64.7.199.151", "123.190.21.95", "61.52.157.121", "36.71.28.44"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["botnet.fizra.biz.id", "27.37.122.3", "64.7.199.151", "123.190.21.95", "61.52.157.121", "36.71.28.44"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known security testing domains (e.g., testmaliciousurl.com, vulnerablehost.com) or include a tag like security_test in the URL or request headers.
Scenario: A scheduled job is executing a script that downloads a legitimate update from a trusted repository (e.g., npm install, pip install, or apt update).
Filter/Exclusion: Exclude URLs that match known package managers or trusted update servers (e.g., https://registry.npmjs.org, https://archive.apache.org, https://packages.microsoft.com).
Scenario: An internal tool or service is using a malicious-looking URL for internal communication (e.g., a mock API endpoint or a staging environment URL).
Filter/Exclusion: Exclude URLs that are internal to the organization (e.g., internal-api.example.com, staging.example.com) or include a domain that matches the company’s internal DNS.
Scenario: A user is downloading a legitimate file from a phishing email that was successfully spoofed to look like a trusted source (e.g., a fake Microsoft update link).
Filter/Exclusion: Exclude URLs that are associated with phishing campaigns or include suspicious subdomains (e.g., update.microsoft.com with a subdomain like secure-login that is not known to be legitimate).
Scenario: A legitimate software update or patch is being downloaded from a third-party repository (e.g., https://download.docker.com or https://downloads.apache.org).
Filter/Exclusion: Exclude URLs that are known to be official download sources for software (e.g., docker.com, apache.org, nginx.org) or include a hash or checksum in the URL path.