The hunt hypothesis detects potential Vidar malware activity through indicators of compromise associated with data exfiltration and credential theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage encrypted channels to steal sensitive information.
IOC Summary
Malware Family: Vidar Total IOCs: 16 IOC Types: url, ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 46[.]225[.]253[.]9:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 46[.]225[.]254[.]27:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 46[.]225[.]255[.]99:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 65[.]109[.]255[.]31:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 37[.]27[.]181[.]229:443 | botnet_cc | 2026-06-01 | 100% |
| domain | mub.dism188.top | botnet_cc | 2026-06-01 | 100% |
| domain | mub.atvrent.com | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://65[.]109[.]255[.]31/ | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://37[.]27[.]181[.]229/ | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://mub.dism188.top/ | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://mub.atvrent.com/ | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://46[.]225[.]253[.]9/ | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://46[.]225[.]254[.]27/ | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://46[.]225[.]255[.]99/ | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://steamcommunity.com/profiles/76561198694626397 | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://telegram.me/kkb31rm | botnet_cc | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["37.27.181.229", "46.225.253.9", "46.225.254.27", "46.225.255.99", "65.109.255.31"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["37.27.181.229", "46.225.253.9", "46.225.254.27", "46.225.255.99", "65.109.255.31"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["mub.dism188.top", "mub.atvrent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://65.109.255.31/", "https://37.27.181.229/", "https://mub.dism188.top/", "https://mub.atvrent.com/", "https://46.225.253.9/", "https://46.225.254.27/", "https://46.225.255.99/", "https://steamcommunity.com/profiles/76561198694626397", "https://telegram.me/kkb31rm"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude traffic originating from the Veeam backup server or involving known Veeam backup credentials in the IOC list.
Scenario: Admin performing PowerShell-based system maintenance using Invoke-Command
Filter/Exclusion: Exclude PowerShell scripts executed from trusted admin workstations or signed by enterprise-issued certificates.
Scenario: SQL Server Agent Job executing a database maintenance task
Filter/Exclusion: Exclude process IDs (PIDs) associated with SQL Server services or jobs running under the SQL Server service account.
Scenario: Windows Task Scheduler running a legitimate script for log rotation
Filter/Exclusion: Exclude tasks scheduled by the Task Scheduler service or scripts located in the C:\Windows\System32\ directory.
Scenario: Ansible playbook executing configuration management tasks on remote hosts
Filter/Exclusion: Exclude connections initiated by Ansible control nodes or scripts using enterprise-issued SSH keys.