The detection identifies potential Phantom Stealer malware activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before significant data loss occurs.
IOC Summary
Malware Family: Phantom Stealer Total IOCs: 5 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://t.me/ax03bot | botnet_cc | 2026-05-06 | 100% |
| domain | honestly.ink | botnet_cc | 2026-05-06 | 100% |
| domain | acvgste.club | botnet_cc | 2026-05-06 | 100% |
| domain | 0x666.info | botnet_cc | 2026-05-06 | 100% |
| domain | pla7ina.cfd | botnet_cc | 2026-05-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Phantom Stealer
let malicious_domains = dynamic(["honestly.ink", "acvgste.club", "0x666.info", "pla7ina.cfd"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Phantom Stealer
let malicious_urls = dynamic(["https://t.me/ax03bot"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Job Using wbadmin
Description: A scheduled task using wbadmin to perform system backups may trigger the rule if the command line includes suspicious arguments or paths.
Filter/Exclusion: Exclude processes initiated by wbadmin with the -backup flag or from the C:\Windows\System32\wbadmin.exe path.
Scenario: Admin Task Using taskkill to Terminate a Legitimate Process
Description: An administrator may use taskkill to terminate a process like svchost.exe or explorer.exe during maintenance.
Filter/Exclusion: Exclude taskkill commands executed by users in the Administrators group with the /F and /PID flags targeting known system services.
Scenario: Scheduled Job Using schtasks to Run a Legitimate Script
Description: A scheduled job using schtasks to run a PowerShell or batch script for system maintenance may be flagged if the script path or command line matches known IOCs.
Filter/Exclusion: Exclude schtasks commands that execute scripts from the C:\Windows\System32\ directory or known trusted script locations.
Scenario: Logon Script Execution with cmd.exe
Description: A logon script using cmd.exe to run a batch file for user environment setup may trigger the rule if the script contains suspicious command lines.
Filter/Exclusion: Exclude cmd.exe processes launched from user profile directories (e.g., C:\Users\<User>\) or from known trusted logon script locations.
Scenario: System Update or Patching Process Using msiexec
Description: Microsoft Installer (msiexec) is often used during system updates and may be flagged if