The ThreatFox: Antidot IOCs rule detects potential adversary activity linked to the Antidot threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before they cause significant damage.
IOC Summary
Malware Family: Antidot Total IOCs: 68 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://ahokulairistouv.site:14001 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://apitelemetryinfrastructure.org:16759 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://baseridetvinasia.org:16415 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://berlinlogo.shop:19095 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://brakojundi.org:19049 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://brightmoonjourney.site:16843 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://cafecitta.com:5036 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://cdninfrastructure.org:13726 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://cheapgames.world:4702 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://datenarraqiloni.shop:3058 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://duaeshen.org:13404 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://faraserna.store:15486 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://getjoot.org:13331 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://goldencloudmeadow.site:1627 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://goldenleafdreams.site:10475 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://gongklaus.com:18683 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://hiddenforestpath.site:8392 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://himiltonperg.top:12925 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://horllleylenassa.store:19786 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://hyperivorationally.site:9929 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://illugvinati.co:18637 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://inoamito.com:19968 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://ironbigman.com:16143 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://ishakebanii.online:14620 | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://joctalaquelland.store:5686 | botnet_cc | 2026-05-22 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Antidot
let malicious_urls = dynamic(["https://ahokulairistouv.site:14001", "https://apitelemetryinfrastructure.org:16759", "https://baseridetvinasia.org:16415", "https://berlinlogo.shop:19095", "https://brakojundi.org:19049", "https://brightmoonjourney.site:16843", "https://cafecitta.com:5036", "https://cdninfrastructure.org:13726", "https://cheapgames.world:4702", "https://datenarraqiloni.shop:3058", "https://duaeshen.org:13404", "https://faraserna.store:15486", "https://getjoot.org:13331", "https://goldencloudmeadow.site:1627", "https://goldenleafdreams.site:10475", "https://gongklaus.com:18683", "https://hiddenforestpath.site:8392", "https://himiltonperg.top:12925", "https://horllleylenassa.store:19786", "https://hyperivorationally.site:9929", "https://illugvinati.co:18637", "https://inoamito.com:19968", "https://ironbigman.com:16143", "https://ishakebanii.online:14620", "https://joctalaquelland.store:5686", "https://jonulimileallil.shop:10070", "https://klaunsingjork.top:4822", "https://klimonturo.org:11044", "https://kurvioslash.org:11734", "https://lionbuffet.info:12876"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Antivirus Scan Using Antidot Integration
Description: A scheduled antivirus scan is initiated via the Antidot integration to scan endpoints for malware.
Filter/Exclusion: process.name != "antivirus_scanner.exe" OR process.name != "antidot_antivirus.exe"
Scenario: System Update via Antidot Patch Management Tool
Description: A system update is deployed using the Antidot Patch Management tool, which may trigger IOCs related to package execution.
Filter/Exclusion: process.name != "antidot_patchmgr.exe" OR process.name != "patch_update.exe"
Scenario: Admin Task to Deploy Antidot Configuration via PowerShell
Description: An administrator uses PowerShell to deploy new Antidot configuration settings across the network.
Filter/Exclusion: process.name != "powershell.exe" OR (process.args NOT LIKE "*antidot_config*" AND process.args NOT LIKE "*deploy*")
Scenario: Log Collection from Antidot Security Agent
Description: The enterprise security team collects logs from the Antidot security agent for analysis and reporting.
Filter/Exclusion: process.name != "antidot_log_collector.exe" OR process.name != "log_retriever.exe"
Scenario: Antidot Integration with SIEM for Real-Time Monitoring
Description: The Antidot security agent is configured to send real-time logs to the SIEM system for monitoring and alerting.
Filter/Exclusion: process.name != "antidot_siem_agent.exe" OR process.name != "siem_integration.exe"