The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced threats before they cause significant data loss or operational disruption.
IOC Summary
Malware Family: Vidar Total IOCs: 28 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://swhrconsulting.com/ | payload_delivery | 2026-04-19 | 75% |
| domain | prc.aasscc.how | botnet_cc | 2026-04-19 | 75% |
| url | hxxps://prc.aasscc.how/ | botnet_cc | 2026-04-19 | 75% |
| domain | prc.cebolinhaburger.com | botnet_cc | 2026-04-19 | 75% |
| url | hxxps://prc.cebolinhaburger.com/ | botnet_cc | 2026-04-19 | 75% |
| url | hxxps://biendinhdanhmiennam.pro/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://euroservice-impianti.it/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://handymanjoes.com/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://euphorbia.co.za/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://tuslacteos.com/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://arabiangulffzc.com/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://endip.org/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://evaluate.ng/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://mastergiftsrl.com/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://armedforcessupportfoundation.org/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://theamari.com/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://aikomart.com/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://auraaesthetics.in/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://pinexrecruitment.job-bank.co.uk/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://ssangyong-tunisie.com/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://chargepointsolutionsoxford.com/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://gomodular.ie/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://brooklynfamilydivorce.lawyer/ | payload_delivery | 2026-04-19 | 75% |
| url | hxxps://prakritiklifestyles.com/ | payload_delivery | 2026-04-18 | 75% |
| domain | gor.aasscc.how | botnet_cc | 2026-04-18 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["prc.aasscc.how", "prc.cebolinhaburger.com", "gor.aasscc.how", "gor.cebolinhaburger.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://swhrconsulting.com/", "https://prc.aasscc.how/", "https://prc.cebolinhaburger.com/", "https://biendinhdanhmiennam.pro/", "https://euroservice-impianti.it/", "https://handymanjoes.com/", "https://euphorbia.co.za/", "https://tuslacteos.com/", "https://arabiangulffzc.com/", "https://endip.org/", "https://evaluate.ng/", "https://mastergiftsrl.com/", "https://armedforcessupportfoundation.org/", "https://theamari.com/", "https://aikomart.com/", "https://auraaesthetics.in/", "https://pinexrecruitment.job-bank.co.uk/", "https://ssangyong-tunisie.com/", "https://chargepointsolutionsoxford.com/", "https://gomodular.ie/", "https://brooklynfamilydivorce.lawyer/", "https://prakritiklifestyles.com/", "https://gor.aasscc.how/", "https://gor.cebolinhaburger.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Vidar IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.name != "schtasks.exe" or process.name != "task scheduler"
Scenario: Admin Using PowerShell for Log Collection
Description: An administrator uses PowerShell to collect logs, and the script includes a command that matches a Vidar IOC (e.g., Invoke-WebRequest with a benign URL).
Filter/Exclusion: process.name != "powershell.exe" or process.user != "admin_user"
Scenario: Antivirus Quarantine Scan
Description: A security tool quarantines a file that matches a Vidar IOC, triggering the rule during a scan.
Filter/Exclusion: process.name != "antivirus_tool.exe" or file.hash in known_quarantine_hashes
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline downloads a package from a trusted repository, and the download URL matches a Vidar IOC.
Filter/Exclusion: process.name != "jenkins.exe" or process.name != "git.exe"
Scenario: Database Backup Job
Description: A database backup job uses a script that includes a command matching a Vidar IOC (e.g., sqlcmd with a malicious-looking command line).
Filter/Exclusion: process.name != "sqlcmd.exe" or process.user != "db_admin"