The ThreatFox: Vidar IOCs rule detects potential data exfiltration activity associated with the Vidar malware, which is commonly deployed through phishing emails and malicious attachments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to credential theft and sensitive data exposure.
IOC Summary
Malware Family: Vidar Total IOCs: 6 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://fearlesshomemaker.com/ | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://dip.fbvendas.com/ | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://dip.adasm188.top/ | botnet_cc | 2026-05-22 | 100% |
| domain | dip.fbvendas.com | botnet_cc | 2026-05-22 | 100% |
| domain | dip.adasm188.top | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://jumpthehurdle.com/ | payload_delivery | 2026-05-22 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["dip.fbvendas.com", "dip.adasm188.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://fearlesshomemaker.com/", "https://dip.fbvendas.com/", "https://dip.adasm188.top/", "https://jumpthehurdle.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A scheduled job using schtasks.exe runs a script that downloads a legitimate configuration file from a known domain, which coincidentally matches a known Vidar IOC.
Filter/Exclusion: Exclude traffic from internal domains or use a filter on the destination field to exclude known internal infrastructure (e.g., destination != 10.0.0.0/8).
Scenario: Admin Using PowerShell for System Maintenance
Description: An administrator uses PowerShell (powershell.exe) to execute a script that connects to a remote server for log collection, which may use a domain or IP that is flagged as a Vidar IOC.
Filter/Exclusion: Exclude PowerShell scripts executed by users with admin privileges or filter by process.name != powershell.exe when the user is a known admin.
Scenario: Email Security Tool Scanning for Malware
Description: A security tool like Microsoft Defender for Office 365 or Cisco Secure Email Gateway scans an email attachment and uploads it to a cloud-based sandboxing service, which may trigger a Vidar IOC match.
Filter/Exclusion: Exclude traffic from known security tool IPs or use a filter on the source field to exclude internal security infrastructure (e.g., source != 4.2.2.1).
Scenario: Internal Monitoring Tool Using External API
Description: An internal monitoring tool like Splunk or Datadog connects to an external API for metrics, and the API endpoint is flagged as a Vidar IOC due to a shared IP or domain.
Filter/Exclusion: Exclude traffic to known monitoring or analytics service IPs or domains (e.g., destination != splunkcloud.com).
**Scenario: Legitimate Software Update from a Trusted Repository