The ThreatFox: Vidar IOCs rule detects potential data exfiltration activity associated with the Vidar malware, which is commonly used to steal credentials and sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that leverage encrypted communication channels for command-and-control operations.
IOC Summary
Malware Family: Vidar Total IOCs: 6 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://paragonlatam.com/ | payload_delivery | 2026-04-23 | 75% |
| url | hxxps://etfmodelsolutions.com/ | payload_delivery | 2026-04-23 | 75% |
| url | hxxps://arb.flise-mesteren.dk/ | botnet_cc | 2026-04-23 | 100% |
| domain | arb.flise-mesteren.dk | botnet_cc | 2026-04-23 | 100% |
| url | hxxps://arb.ducard.com.br/ | botnet_cc | 2026-04-23 | 100% |
| domain | arb.ducard.com.br | botnet_cc | 2026-04-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["arb.flise-mesteren.dk", "arb.ducard.com.br"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://paragonlatam.com/", "https://etfmodelsolutions.com/", "https://arb.flise-mesteren.dk/", "https://arb.ducard.com.br/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Data Backup
Description: A scheduled task runs nightly to back up user data to an external storage device, which may include sensitive information.
Filter/Exclusion: Exclude tasks associated with backup tools like Veeam, Commvault, or Veritas NetBackup by checking the task name or command line arguments.
Scenario: Admin Task for System Monitoring
Description: An administrator uses a tool like Splunk or ELK Stack to monitor system logs and send alerts to a centralized SIEM platform.
Filter/Exclusion: Exclude traffic from known monitoring tools by checking the source IP or process name, such as splunkd or logstash.
Scenario: Encrypted Communication Between Internal Services
Description: Internal services like Kubernetes API servers or Vault use encrypted tunnels (e.g., TLS or SSH tunnels) to communicate securely between nodes.
Filter/Exclusion: Exclude traffic between internal hosts with known service names or IPs, and filter by TLS handshake or SSH protocol.
Scenario: Use of Encrypted USB Drives for Compliance
Description: Employees use BitLocker-encrypted USB drives to transfer sensitive data between systems, which may trigger encryption-related detection rules.
Filter/Exclusion: Exclude traffic involving known encryption tools like BitLocker, Veracrypt, or TrueCrypt by checking the process name or file extensions (e.g., .vhd, .venc).
Scenario: Secure Remote Access via SSH Tunnel
Description: IT staff use SSH tunnels (e.g., ssh -L or ssh -R) to securely access internal services from remote locations.
Filter/Exclusion: Exclude SSH traffic with known administrative tools or