The detection identifies potential Vidar malware activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Vidar Total IOCs: 2 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://prd.sm188login.icu/ | botnet_cc | 2026-06-19 | 100% |
| domain | prd.sm188login.icu | botnet_cc | 2026-06-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["prd.sm188login.icu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://prd.sm188login.icu/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Windows Update or WSUS
Filter/Exclusion: Exclude events related to Windows Update or WSUS by checking the EventID (e.g., 6006, 6008) or process names like wuauclt.exe or wuauserv.exe.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude processes associated with Veeam by checking the process name (veeam.exe) or using a custom field like Product or Application in the event log.
Scenario: Administrative task using PowerShell to manage system services
Filter/Exclusion: Exclude PowerShell scripts or commands that are part of routine administrative tasks by checking the CommandLine for known admin scripts or using a ProcessName filter like powershell.exe with a whitelist of trusted paths.
Scenario: Log collection or monitoring tool like Splunk or ELK Stack
Filter/Exclusion: Exclude events from log collection tools by checking the Source or ProcessName (e.g., splunkd.exe, logstash.exe, kibana.exe) or by filtering based on the EventLog source name.
Scenario: Antivirus or endpoint protection software like Microsoft Defender or Kaspersky
Filter/Exclusion: Exclude events from antivirus tools by checking the ProcessName (e.g., MsMpEng.exe, kavsvc.exe) or using a custom field like Vendor or Product in the event log.