The ThreatFox: Antidot IOCs rule detects potential adversary activity linked to the Antidot threat group, which is associated with malware distribution and command-and-control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by known malicious actors.
IOC Summary
Malware Family: Antidot Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | duaeshen.org | botnet_cc | 2026-05-21 | 100% |
| domain | apitelemetryinfrastructure.org | botnet_cc | 2026-05-21 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Antidot
let malicious_domains = dynamic(["duaeshen.org", "apitelemetryinfrastructure.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Antivirus Scan Using Antidot Integration
Description: A scheduled antivirus scan is initiated via the Antidot integration tool, which may trigger the detection logic due to the presence of Antidot-related IOCs in the scan process.
Filter/Exclusion: process.name != "antidot-scan-tool" or process.parent.name != "antivirus-scheduler"
Scenario: System Update via Antidot Management Console
Description: A system update is initiated through the Antidot management console, which may include legitimate IOCs related to the update process.
Filter/Exclusion: process.name != "antidot-updater" or process.args != "--update"
Scenario: Admin Task to Generate Antidot Reports
Description: An administrator runs a script or tool to generate reports using Antidot, which may include IOCs associated with the tool.
Filter/Exclusion: process.name != "antidot-report-generator" or user.name != "admin"
Scenario: Legitimate Use of Antidot for Threat Intelligence Sharing
Description: The security team uses Antidot to share threat intelligence with internal teams, which may involve IOCs that match the detection rule.
Filter/Exclusion: process.name != "threat-intel-tool" or process.args != "--share"
Scenario: Antidot Integration with SIEM for Log Aggregation
Description: Antidot is integrated with a SIEM system (e.g., Splunk, ELK) to aggregate logs, which may trigger the rule due to the presence of Antidot-related IOCs in the log ingestion process.
Filter/Exclusion: process.name != "antidot-siem-connector" or process.parent.name != "log-aggregator"