The ThreatFox: Vidar IOCs rule detects potential command and control communications associated with the Vidar malware, leveraging known indicators linked to its infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises by threat actors using Vidar in their campaigns.
IOC Summary
Malware Family: Vidar Total IOCs: 4 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gro.smtpdenz.my.id | botnet_cc | 2026-05-05 | 100% |
| url | hxxps://gro.smtpdenz.my.id/ | botnet_cc | 2026-05-05 | 100% |
| domain | gro.sleepinggiantmedia.co.uk | botnet_cc | 2026-05-05 | 100% |
| url | hxxps://gro.sleepinggiantmedia.co.uk/ | botnet_cc | 2026-05-05 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["gro.smtpdenz.my.id", "gro.sleepinggiantmedia.co.uk"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://gro.smtpdenz.my.id/", "https://gro.sleepinggiantmedia.co.uk/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using VSS (Volume Shadow Copy Service)
Description: A legitimate scheduled backup task using Windows Volume Shadow Copy Service (VSS) may trigger the rule if the backup tool is flagged as similar to Vidar.
Filter/Exclusion: Exclude processes related to vssadmin or wbadmin, or filter by process name vssvc.exe.
Scenario: Admin Task Using PowerShell for Log Management
Description: A system administrator may use PowerShell scripts to collect and manage logs, which could resemble malicious activity if the script name or command line matches Vidar IOCs.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes log management tools like Get-EventLog or Export-EventLog.
Scenario: Legitimate Use of AWS CLI for Cloud Infrastructure Management
Description: An administrator using the AWS CLI to manage EC2 instances or S3 buckets may trigger the rule if the CLI commands are similar to those used by Vidar.
Filter/Exclusion: Exclude processes with aws in the command line that are associated with known AWS management tasks (e.g., aws ec2 describe-instances).
Scenario: Use of Microsoft Sysinternals Tools for Troubleshooting
Description: Tools like Process Explorer or Procmon from Microsoft Sysinternals may be flagged if their file paths or behaviors are similar to Vidar IOCs.
Filter/Exclusion: Exclude processes from the C:\Windows\System32\sysnative or C:\Windows\SysWOW64 directories, or filter by known Sysinternals tool names.
Scenario: Legitimate Use of Docker for Containerized Applications
Description: A developer running Docker containers for application deployment may trigger the rule if Docker-related processes or files