DNS Query To Common Malware Hosting and Shortener Services

Rule Info

Name
DNS Query To Common Malware Hosting and Shortener Services
Author
Ahmed Nosir (@egycondor)
Description
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
Reference
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
Date
2025-06-02 00:00:00
Modified
None
Id
f8c1e80b-c73a-476a-ae24-6c72528b1521
Tags
attack.command-and-control attack.t1071.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f8c1e80b-c73a-476a-ae24-6c72528b1521

Rule History

Author
Title
Date
Commit
egycondor
Merge PR #5453 from @egycondor - DNS Query To Common Malware Hosting and Shortener Services
2025-06-12
d242edfd5
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022