The ThreatFox: Vidar IOCs rule detects potential command-and-control communication or payload delivery associated with the Vidar malware, which is commonly used for credential theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate data exfiltration attempts early in the attack lifecycle.
IOC Summary
Malware Family: Vidar Total IOCs: 2 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://devsolutionsfinder.com/ | payload_delivery | 2026-06-05 | 75% |
| url | hxxps://steamcommunity.com/profiles/76561198698223785/g75rit | botnet_cc | 2026-06-05 | 75% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://devsolutionsfinder.com/", "https://steamcommunity.com/profiles/76561198698223785/g75rit"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL shortening service usage
Description: A security analyst uses a URL shortening service (e.g., Bitly, TinyURL) to create shortened links for internal documentation or training materials.
Filter/Exclusion: Exclude URLs that match known URL shortening domains or are associated with internal documentation repositories.
Scenario: Scheduled system maintenance job
Description: A scheduled task (e.g., using schtasks.exe on Windows or cron on Linux) is configured to download a script from a remote server for system updates or patching.
Filter/Exclusion: Exclude connections to known update servers (e.g., windowsupdate.microsoft.com, patchmanagement.example.com) or tasks with specific scheduled job names.
Scenario: Admin access via remote desktop
Description: An administrator connects to a remote server using Remote Desktop Protocol (RDP) and the connection is flagged due to the use of a domain that matches a known Vidar IOC.
Filter/Exclusion: Exclude connections originating from known internal IP ranges or RDP sessions initiated by admin accounts with multi-factor authentication.
Scenario: Internal tool for credential harvesting (e.g., Azure AD Connect)
Description: The enterprise uses Azure AD Connect to synchronize user credentials between on-premises Active Directory and Azure AD. This tool may use URLs that match Vidar IOCs.
Filter/Exclusion: Exclude traffic to known Microsoft services or domains associated with Azure AD Connect.
Scenario: Legitimate software update from a trusted vendor
Description: A system receives a software update from a trusted vendor (e.g., Microsoft, Adobe) that includes a URL matching a Vidar IOC.
Filter/Exclusion: Exclude traffic to known vendor update servers or files signed by trusted publishers.