The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or operational disruption.
IOC Summary
Malware Family: Vidar Total IOCs: 33 IOC Types: ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 135[.]181[.]224[.]79:443 | botnet_cc | 2026-06-08 | 50% |
| ip:port | 65[.]21[.]96[.]131:443 | botnet_cc | 2026-06-08 | 50% |
| ip:port | 135[.]181[.]224[.]77:443 | botnet_cc | 2026-06-08 | 50% |
| ip:port | 135[.]181[.]224[.]75:443 | botnet_cc | 2026-06-08 | 50% |
| ip:port | 178[.]105[.]231[.]90:443 | botnet_cc | 2026-06-08 | 50% |
| ip:port | 135[.]181[.]224[.]73:443 | botnet_cc | 2026-06-08 | 50% |
| ip:port | 135[.]181[.]224[.]76:443 | botnet_cc | 2026-06-08 | 50% |
| ip:port | 135[.]181[.]224[.]74:443 | botnet_cc | 2026-06-08 | 50% |
| domain | reg.turbo88op.top | botnet_cc | 2026-06-08 | 100% |
| domain | lla.firesupport.com | botnet_cc | 2026-06-08 | 100% |
| domain | fhe.firesupport.com | botnet_cc | 2026-06-08 | 100% |
| domain | pas.firesupport.com | botnet_cc | 2026-06-08 | 100% |
| domain | lla.fixsm188.top | botnet_cc | 2026-06-08 | 100% |
| domain | fhe.fixsm188.top | botnet_cc | 2026-06-08 | 100% |
| domain | pas.fixsm188.top | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://135[.]181[.]224[.]73/ | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://135[.]181[.]224[.]76/ | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://135[.]181[.]224[.]74/ | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://pas.fixsm188.top/ | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://135[.]181[.]224[.]79/ | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://65[.]21[.]96[.]131/ | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://135[.]181[.]224[.]77/ | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://135[.]181[.]224[.]75/ | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://178[.]105[.]231[.]90/ | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://telegram.me/d77xtr | botnet_cc | 2026-06-08 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["135.181.224.73", "135.181.224.79", "135.181.224.75", "135.181.224.77", "178.105.231.90", "65.21.96.131", "135.181.224.74", "135.181.224.76"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["135.181.224.73", "135.181.224.79", "135.181.224.75", "135.181.224.77", "178.105.231.90", "65.21.96.131", "135.181.224.74", "135.181.224.76"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["reg.turbo88op.top", "lla.firesupport.com", "fhe.firesupport.com", "pas.firesupport.com", "lla.fixsm188.top", "fhe.fixsm188.top", "pas.fixsm188.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://135.181.224.73/", "https://135.181.224.76/", "https://135.181.224.74/", "https://pas.fixsm188.top/", "https://135.181.224.79/", "https://65.21.96.131/", "https://135.181.224.77/", "https://135.181.224.75/", "https://178.105.231.90/", "https://telegram.me/d77xtr", "https://reg.turbo88op.top/", "https://lla.firesupport.com/", "https://fhe.firesupport.com/", "https://pas.firesupport.com/", "https://lla.fixsm188.top/", "https://fhe.fixsm188.top/", "https://steamcommunity.com/profiles/76561198694566254", "https://propertymiles.pk/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running schtasks.exe to perform system maintenance or updates.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a command line containing /create or /run and associated with known maintenance scripts.
Scenario: Admin Performing Log Collection via PowerShell
Description: An administrator is using PowerShell to collect logs using Get-EventLog or Get-WinEvent for compliance or troubleshooting.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes Get-EventLog, Get-WinEvent, or Export-EventLog.
Scenario: Antivirus Scan Using ClamAV
Description: A scheduled antivirus scan using ClamAV is scanning the system for malware.
Filter/Exclusion: Exclude processes with clamscan or freshclam in the command line, especially during known scan windows.
Scenario: Database Backup Job Using SQL Server Agent
Description: A SQL Server Agent job is running a backup script that involves executing stored procedures or scripts.
Filter/Exclusion: Exclude processes with sqlagent.exe or sqlcmd.exe that are associated with known backup jobs or scripts.
Scenario: Software Update Deployment via SCCM
Description: A Systems Center Configuration Manager (SCCM) task is deploying software updates, which may involve executing scripts or binaries.
Filter/Exclusion: Exclude processes initiated by ccmexec.exe or smsts.exe that are part of a known SCCM update deployment.