The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging Vidar’s sophisticated capabilities.
IOC Summary
Malware Family: Vidar Total IOCs: 54 IOC Types: ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://kbs.matriculador.digital/ | botnet_cc | 2026-05-26 | 100% |
| url | hxxps://kbs.akusm188.top/ | botnet_cc | 2026-05-26 | 100% |
| domain | kbs.matriculador.digital | botnet_cc | 2026-05-26 | 100% |
| domain | kbs.akusm188.top | botnet_cc | 2026-05-26 | 100% |
| ip:port | 178[.]105[.]193[.]37:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 46[.]225[.]248[.]246:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 46[.]225[.]249[.]87:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 49[.]13[.]38[.]126:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 78[.]47[.]64[.]123:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 116[.]202[.]188[.]183:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 178[.]105[.]142[.]35:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 195[.]201[.]45[.]175:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 176[.]9[.]142[.]218:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 5[.]9[.]114[.]60:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 136[.]243[.]232[.]226:443 | botnet_cc | 2026-05-26 | 100% |
| domain | guw.akusm188.top | botnet_cc | 2026-05-26 | 100% |
| domain | ham.akusm188.top | botnet_cc | 2026-05-26 | 100% |
| domain | hus.akusm188.top | botnet_cc | 2026-05-26 | 100% |
| domain | dip.akusm188.top | botnet_cc | 2026-05-26 | 100% |
| domain | ham.matriculador.digital | botnet_cc | 2026-05-26 | 100% |
| domain | hus.matriculador.digital | botnet_cc | 2026-05-26 | 100% |
| domain | dip.matriculador.digital | botnet_cc | 2026-05-26 | 100% |
| domain | msp.xyzsm188.top | botnet_cc | 2026-05-26 | 100% |
| url | hxxps://178[.]105[.]142[.]35/ | botnet_cc | 2026-05-26 | 100% |
| url | hxxps://195[.]201[.]45[.]175/ | botnet_cc | 2026-05-26 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["65.109.251.186", "46.225.248.246", "116.202.188.183", "178.105.193.37", "136.243.232.226", "78.47.64.123", "46.225.249.87", "49.13.38.126", "195.201.45.175", "178.105.142.35", "176.9.142.218", "5.9.114.60"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["65.109.251.186", "46.225.248.246", "116.202.188.183", "178.105.193.37", "136.243.232.226", "78.47.64.123", "46.225.249.87", "49.13.38.126", "195.201.45.175", "178.105.142.35", "176.9.142.218", "5.9.114.60"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["kbs.matriculador.digital", "kbs.akusm188.top", "guw.akusm188.top", "ham.akusm188.top", "hus.akusm188.top", "dip.akusm188.top", "ham.matriculador.digital", "hus.matriculador.digital", "dip.matriculador.digital", "msp.xyzsm188.top", "foe.akusm188.top", "foe.matriculador.digital", "cap.xyzsm188.top", "bistrolord.lat", "guw.matriculador.digital"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://kbs.matriculador.digital/", "https://kbs.akusm188.top/", "https://178.105.142.35/", "https://195.201.45.175/", "https://178.105.193.37/", "https://46.225.248.246/", "https://46.225.249.87/", "https://49.13.38.126/", "https://78.47.64.123/", "https://116.202.188.183/", "https://cap.xyzsm188.top/", "https://176.9.142.218/", "https://5.9.114.60/", "https://136.243.232.226/", "https://guw.matriculador.digital/", "https://ham.matriculador.digital/", "https://hus.matriculador.digital/", "https://dip.matriculador.digital/", "https://msp.xyzsm188.top/", "https://guw.akusm188.top/", "https://ham.akusm188.top/", "https://hus.akusm188.top/", "https://dip.akusm188.top/", "https://steamcommunity.com/profiles/76561198698223785", "https://telegram.me/g75rit", "https://foe.matriculador.digital/", "https://foe.akusm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Tasks
Description: Legitimate scheduled tasks such as schtasks.exe or task scheduler running maintenance scripts that match Vidar IOC patterns (e.g., file paths or registry keys).
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with known maintenance names (e.g., UpdateService, DiskCleanup).
Scenario: Admin Tool Usage for Patch Management
Description: Use of tools like Windows Update or WSUS (Windows Server Update Services) that may trigger IOC matches due to similar file names or network activity.
Filter/Exclusion: Exclude processes related to wuauclt.exe or wsusutil.exe, or filter by IP addresses associated with internal patch management servers.
Scenario: Log Management and SIEM Tools
Description: Tools like Splunk, ELK Stack, or Logstash may generate logs that match Vidar IOCs due to similar file paths or command-line arguments.
Filter/Exclusion: Exclude processes associated with log management tools or filter by process names like splunkd.exe, logstash.exe, or kibana.exe.
Scenario: Internal Software Distribution via Group Policy
Description: Deployment of internal software via Group Policy Objects (GPOs) or tools like PDQ Deploy may result in file paths or registry keys that resemble Vidar IOCs.
Filter/Exclusion: Exclude processes related to gpupdate.exe, pdqdeploymgr.exe, or filter by file paths that match internal software distribution patterns.
Scenario: Database Backup and Restore Jobs
Description: Scheduled database backups using tools like SQL Server Agent or mysqldump may trigger IOC matches due to similar command-line arguments or file paths