The hypothesis is that the detected URLs are being used by adversaries to download malicious payloads via ua-wget, leveraging compromised or untrusted systems to execute malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control channels or data exfiltration attempts.
IOC Summary
Threat: ua-wget Total URLs: 61 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://103.72.9.252:51383/Mozi.m | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/GZOS | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/35t | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/Ob9f | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/PaBc | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/M9s | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/0Uc4 | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/oJh | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/K2vC | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/cmxi | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/a2f | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/xHRf | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/vzPx | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/LfyP | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/Z47T | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/gjF | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/jW3 | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/mH3m | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/uIBe | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/V2w | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/w0g | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/5Fl | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/MTpP | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/GdOc | offline | malware_download | 2026-05-11 |
hxxp://45.148.120.78/U0qB | offline | malware_download | 2026-05-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ua-wget
let malicious_domains = dynamic(["103.72.9.252", "45.148.120.78"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["103.72.9.252", "45.148.120.78"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System Update Job Using wget
Description: A scheduled system update job uses wget to download a legitimate package from a known internal or public repository.
Filter/Exclusion: Exclude URLs matching internal update servers (e.g., internal-repo.example.com, updates.example.com) or known safe repositories (e.g., archive.debian.org, security.debian.org).
Scenario: Admin Task to Download a Known Safe File
Description: An administrator manually downloads a trusted file (e.g., a configuration script or patch) using wget from a trusted source.
Filter/Exclusion: Exclude URLs containing known safe domains (e.g., trusted-admin-tools.example.com, scripts.example.com) or specific file hashes.
Scenario: Log Collection Using wget
Description: A log aggregation tool or script uses wget to fetch logs from a remote server.
Filter/Exclusion: Exclude URLs matching log collection endpoints (e.g., logs.example.com, logserver.example.com) or specific log file paths.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses wget to download build artifacts or dependencies from a secure artifact repository.
Filter/Exclusion: Exclude URLs matching CI/CD artifact repositories (e.g., artifacts.example.com, nexus.example.com) or specific project artifact paths.
Scenario: User-Initiated File Download for Support
Description: A user downloads a support tool or diagnostic script from a company-approved support portal using wget.
Filter/Exclusion: Exclude URLs containing known support domains (e.g., support.example.com, diag.example.com) or specific support tool names.