The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging Vidar’s capabilities.
IOC Summary
Malware Family: Vidar Total IOCs: 42 IOC Types: ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 204[.]168[.]163[.]225:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 178[.]104[.]208[.]168:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 62[.]238[.]44[.]180:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 178[.]104[.]211[.]206:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 46[.]62[.]255[.]252:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 46[.]225[.]156[.]170:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 95[.]216[.]152[.]191:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 178[.]105[.]210[.]87:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 65[.]21[.]96[.]133:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 46[.]224[.]136[.]4:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 128[.]140[.]123[.]80:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 5[.]161[.]119[.]247:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 46[.]225[.]162[.]206:443 | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://95[.]216[.]152[.]191/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://178[.]105[.]210[.]87/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://204[.]168[.]163[.]225/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://178[.]104[.]208[.]168/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://62[.]238[.]44[.]180/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://178[.]104[.]211[.]206/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://46[.]62[.]255[.]252/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://46[.]225[.]156[.]170/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://65[.]21[.]96[.]133/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://46[.]224[.]136[.]4/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://128[.]140[.]123[.]80/ | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://5[.]161[.]119[.]247/ | botnet_cc | 2026-06-15 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["178.104.208.168", "128.140.123.80", "178.105.210.87", "178.104.211.206", "46.224.136.4", "46.62.255.252", "62.238.44.180", "65.21.96.133", "46.225.162.206", "204.168.163.225", "5.161.119.247", "95.216.152.191", "46.225.156.170"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.104.208.168", "128.140.123.80", "178.105.210.87", "178.104.211.206", "46.224.136.4", "46.62.255.252", "62.238.44.180", "65.21.96.133", "46.225.162.206", "204.168.163.225", "5.161.119.247", "95.216.152.191", "46.225.156.170"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["snd.goturbo88.top", "ikg.goturbo88.top", "ggt.goturbo88.top", "snd.glamisrents.com", "ikg.glamisrents.com", "ggt.glamisrents.com", "pod.turbo88jp.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://95.216.152.191/", "https://178.105.210.87/", "https://204.168.163.225/", "https://178.104.208.168/", "https://62.238.44.180/", "https://178.104.211.206/", "https://46.62.255.252/", "https://46.225.156.170/", "https://65.21.96.133/", "https://46.224.136.4/", "https://128.140.123.80/", "https://5.161.119.247/", "https://46.225.162.206/", "https://snd.goturbo88.top/", "https://ikg.goturbo88.top/", "https://ggt.goturbo88.top/", "https://snd.glamisrents.com/", "https://ikg.glamisrents.com/", "https://ggt.glamisrents.com/", "https://steamcommunity.com/profiles/76561198689449626", "https://telegram.me/turb00m", "https://avpungxx.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Collection
Description: A scheduled job runs logrotate or rsyslog to manage log files, which may trigger the rule due to file paths or processes resembling known Vidar IOCs.
Filter/Exclusion: Exclude processes related to logrotate, rsyslog, or syslog-ng using the process.name field:
process.name != "logrotate" AND process.name != "rsyslog" AND process.name != "syslog-ng"Scenario: Admin Task for System Monitoring
Description: An administrator uses Process Explorer or Procmon (from Sysinternals) to monitor system processes, which may include paths or behaviors similar to Vidar IOCs.
Filter/Exclusion: Exclude processes associated with Process Explorer or Procmon using the process.name field:
process.name != "procmon.exe" AND process.name != "process.explorer.exe"Scenario: Legitimate Use of PowerShell for Script Execution
Description: A system administrator runs a PowerShell script using powershell.exe to automate tasks, which may include command-line arguments or file paths that match Vidar IOCs.
Filter/Exclusion: Exclude PowerShell scripts executed by known admin users or within specific directories using the user.name and process.directory fields:
user.name == "Administrator" OR process.directory == "C:\\Windows\\System32\\"Scenario: Antivirus or EDR Tool Scanning
Description: A security tool like CrowdStrike Falcon, Microsoft Defender, or Kaspersky performs a full system scan, which may include files or processes that match Vidar IOCs.