The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, leveraging known indicators of compromise to identify malicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: Vidar Total IOCs: 4 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://ggt.glamisrent.com/ | botnet_cc | 2026-06-12 | 75% |
| domain | ggt.glamisrent.com | botnet_cc | 2026-06-12 | 75% |
| url | hxxps://ggt.gerbongsm188.top/ | botnet_cc | 2026-06-12 | 75% |
| domain | ggt.gerbongsm188.top | botnet_cc | 2026-06-12 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["ggt.glamisrent.com", "ggt.gerbongsm188.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://ggt.glamisrent.com/", "https://ggt.gerbongsm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude files with the Task Scheduler or Microsoft parent process, and filter by file paths containing System32 or Temp.
Scenario: Admin Log Collection via PowerShell
Description: An admin is using PowerShell to collect logs from remote systems, which may include commands or file paths that resemble Vidar IOCs.
Filter/Exclusion: Exclude processes with powershell.exe where the parent process is explorer.exe or cmd.exe, and filter by command lines containing Get-EventLog or Export-Clixml.
Scenario: Software Update Job Using Chocolatey
Description: A scheduled Chocolatey update job is downloading packages from a known repository, which may have similar URLs to Vidar IOCs.
Filter/Exclusion: Exclude processes with choco.exe and filter by URLs containing chocolatey.org or nuget.org.
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job is performing a backup, which may involve temporary files or scripts that match the IOC pattern.
Filter/Exclusion: Exclude processes with sqlservr.exe or sqlagent.exe, and filter by file paths containing Backup or Bak.
Scenario: Log File Rotation Using Logrotate
Description: A log rotation script is renaming or moving log files, which may include file names or paths that match Vidar IOCs.
Filter/Exclusion: Exclude processes with logrotate or rsyslogd, and filter by file paths containing log or rotate.