The ThreatFox: Satacom IOCs rule detects potential adversary activity linked to the Satacom threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: Satacom Total IOCs: 4 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | whatdatcindy.com | botnet_cc | 2026-06-14 | 100% |
| url | hxxps://whatdatcindy.com/nfront.php | botnet_cc | 2026-06-14 | 100% |
| domain | g4me.flashpopdownloadbutton.monster | payload_delivery | 2026-06-14 | 100% |
| domain | verification-js-cdn.boats | payload_delivery | 2026-06-14 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Satacom
let malicious_domains = dynamic(["whatdatcindy.com", "g4me.flashpopdownloadbutton.monster", "verification-js-cdn.boats"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Satacom
let malicious_urls = dynamic(["https://whatdatcindy.com/nfront.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job Using satacom as a Backup Tool
Description: A legitimate scheduled backup job uses a tool named satacom for data archiving.
Filter/Exclusion: Exclude processes where the command line includes --backup or --archive flags, or where the process name matches satacom_backup.
Scenario: Admin Task to Monitor Network Traffic with satacom Tool
Description: A system administrator uses the satacom tool to monitor internal network traffic for troubleshooting.
Filter/Exclusion: Exclude processes initiated by the root user or those with a command line containing --monitor or --sniff.
Scenario: Log Collection Job Using satacom for Log Aggregation
Description: A log aggregation tool named satacom is used to collect logs from multiple servers into a centralized logging system.
Filter/Exclusion: Exclude processes where the command line includes --log-collect or --centralized, or where the source IP is within the internal network range.
Scenario: Software Update Job Using satacom for Patch Management
Description: A patch management tool named satacom is used to deploy updates across the enterprise.
Filter/Exclusion: Exclude processes where the command line includes --patch or --update, or where the process is initiated by a known patch management service account.
Scenario: Database Maintenance Task Using satacom for Data Sync
Description: A database maintenance script uses satacom to synchronize data between primary and secondary databases.
Filter/Exclusion: Exclude processes where the command line includes --sync or --replicate, or where the process is initiated by a database admin account.