The ThreatFox: Vidar IOCs rule detects potential command and control activity associated with the Vidar malware, leveraging known indicators to identify compromised hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing persistence within the network.
IOC Summary
Malware Family: Vidar Total IOCs: 14 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://dev.esteghlal.news/ | botnet_cc | 2026-06-24 | 75% |
| domain | dev.esteghlal.news | botnet_cc | 2026-06-24 | 75% |
| url | hxxps://dev.holidaysm188.top/ | botnet_cc | 2026-06-24 | 75% |
| domain | dev.holidaysm188.top | botnet_cc | 2026-06-24 | 75% |
| domain | barmaleieba.lol | botnet_cc | 2026-06-24 | 100% |
| domain | cdn-speed.beer | botnet_cc | 2026-06-24 | 100% |
| domain | merkantalolol.asia | botnet_cc | 2026-06-24 | 100% |
| domain | code.verification-claude-cdn.beer | botnet_cc | 2026-06-24 | 100% |
| domain | superboomer.world | botnet_cc | 2026-06-24 | 100% |
| domain | globalchrome.com | botnet_cc | 2026-06-24 | 100% |
| domain | lib.esteghlal.news | botnet_cc | 2026-06-24 | 100% |
| url | hxxps://lib.esteghlal.news/ | botnet_cc | 2026-06-24 | 100% |
| domain | lib.holidaysm188.top | botnet_cc | 2026-06-24 | 100% |
| url | hxxps://lib.holidaysm188.top/ | botnet_cc | 2026-06-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["dev.esteghlal.news", "dev.holidaysm188.top", "barmaleieba.lol", "cdn-speed.beer", "merkantalolol.asia", "code.verification-claude-cdn.beer", "superboomer.world", "globalchrome.com", "lib.esteghlal.news", "lib.holidaysm188.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://dev.esteghlal.news/", "https://dev.holidaysm188.top/", "https://lib.esteghlal.news/", "https://lib.holidaysm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to perform a scheduled system cleanup task that inadvertently matches a Vidar IOC due to a similar command structure.
Filter/Exclusion: Exclude processes initiated by the PowerShell script scheduler (schtasks.exe) or processes with the “System” or “LocalSystem” user context.
Scenario: A Windows Task Scheduler job is configured to run PsExec to remotely execute a legitimate maintenance script, which contains a string matching a Vidar IOC.
Filter/Exclusion: Exclude processes launched by Task Scheduler (schtasks.exe) or those with the “PsExec” executable path.
Scenario: A Windows Event Log collection tool like LogParser or PowerShell script is parsing logs and includes a log entry that contains a Vidar IOC due to a similar string.
Filter/Exclusion: Exclude processes associated with LogParser, PowerShell scripts running under log analysis tasks, or those with the “EventLog” or “LogParser” in the command line.
Scenario: A Microsoft Endpoint Protection (EPP) or Microsoft Defender scan is generating alerts due to a false positive match of a Vidar IOC in a legitimate file, such as a .ps1 script used for configuration management.
Filter/Exclusion: Exclude processes related to Microsoft Defender or Windows Defender (MsMpEng.exe), or files with known legitimate script extensions like .ps1 or .bat used in enterprise environments.
Scenario: A SQL Server Agent Job is running a stored procedure that includes a string matching a Vidar IOC, such as a query that contains a similar string to a malicious payload.
Filter/Exclusion: Exclude processes initiated by SQL Server Agent