The ThreatFox: Antidot IOCs rule detects potential adversary activity linked to the Antidot threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before they cause significant damage.
IOC Summary
Malware Family: Antidot Total IOCs: 68 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://ahokulairistouv.site:14001 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://apitelemetryinfrastructure.org:16759 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://baseridetvinasia.org:16415 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://berlinlogo.shop:19095 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://brakojundi.org:19049 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://brightmoonjourney.site:16843 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://cafecitta.com:5036 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://cdninfrastructure.org:13726 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://cheapgames.world:4702 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://datenarraqiloni.shop:3058 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://duaeshen.org:13404 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://faraserna.store:15486 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://getjoot.org:13331 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://goldencloudmeadow.site:1627 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://goldenleafdreams.site:10475 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://gongklaus.com:18683 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://hiddenforestpath.site:8392 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://himiltonperg.top:12925 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://horllleylenassa.store:19786 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://hyperivorationally.site:9929 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://illugvinati.co:18637 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://inoamito.com:19968 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://ironbigman.com:16143 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://ishakebanii.online:14620 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://joctalaquelland.store:5686 | botnet_cc | 2026-05-22 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Antidot
let malicious_urls = dynamic(["https://ahokulairistouv.site:14001", "https://apitelemetryinfrastructure.org:16759", "https://baseridetvinasia.org:16415", "https://berlinlogo.shop:19095", "https://brakojundi.org:19049", "https://brightmoonjourney.site:16843", "https://cafecitta.com:5036", "https://cdninfrastructure.org:13726", "https://cheapgames.world:4702", "https://datenarraqiloni.shop:3058", "https://duaeshen.org:13404", "https://faraserna.store:15486", "https://getjoot.org:13331", "https://goldencloudmeadow.site:1627", "https://goldenleafdreams.site:10475", "https://gongklaus.com:18683", "https://hiddenforestpath.site:8392", "https://himiltonperg.top:12925", "https://horllleylenassa.store:19786", "https://hyperivorationally.site:9929", "https://illugvinati.co:18637", "https://inoamito.com:19968", "https://ironbigman.com:16143", "https://ishakebanii.online:14620", "https://joctalaquelland.store:5686", "https://jonulimileallil.shop:10070", "https://klaunsingjork.top:4822", "https://klimonturo.org:11044", "https://kurvioslash.org:11734", "https://lionbuffet.info:12876"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for updating Antidot configuration
Filter/Exclusion: Exclude events where the process name is antidot-updater and the command line includes --scheduled or --update-config
Scenario: Admin task to generate reports using Antidot’s built-in reporting tool
Filter/Exclusion: Exclude events where the process name is antidot-reporter and the command line includes --generate-report or --output-path
Scenario: Routine system maintenance using Antidot’s diagnostic tools
Filter/Exclusion: Exclude events where the process name is antidot-diag and the command line includes --maintenance-mode or --check-health
Scenario: Legitimate use of Antidot for network traffic analysis by the security team
Filter/Exclusion: Exclude events where the user is a member of the security-team group and the process name is antidot-analyzer with --network-monitor flag
Scenario: Antidot integration with SIEM tools for log forwarding
Filter/Exclusion: Exclude events where the process name is antidot-siem and the command line includes --forward-logs or --siem-server