ThreatFox: Vidar IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant data loss or operational disruption.

IOC Summary

Malware Family: Vidar Total IOCs: 87 IOC Types: url, domain

Type	Value	Threat Type	First Seen	Confidence
domain	`ins.aasscc.how`	botnet_cc	2026-04-18	75%
url	`hxxps://ins.aasscc.how/`	botnet_cc	2026-04-18	75%
domain	`ins.cebolinhaburger.com`	botnet_cc	2026-04-18	75%
url	`hxxps://ins.cebolinhaburger.com/`	botnet_cc	2026-04-18	75%
url	`hxxps://mahabeauties.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://spain.savasaachimarketingagency.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://trailblazermotors.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://designdrivendaily.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://housecomfortzone.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://oshti.org/`	payload_delivery	2026-04-18	75%
url	`hxxps://swiftcoverhub.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://stonepromasters.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://app.freeconferencecall.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://homemuseblog.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://housecomfortmadeeasy.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://geosetmining.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://goodfamilyhometips.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://nextgenmotoring.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://objectifdktv.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://carmaintenanceanddiymechanics.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://cozylivingrevamp.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://efficientlivingathome.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://energyefficiencyandsmarthomes.com/`	payload_delivery	2026-04-18	75%
url	`hxxps://610sportsradio.net/`	payload_delivery	2026-04-18	75%
url	`hxxps://allstartsealing.com/`	payload_delivery	2026-04-18	75%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["ins.aasscc.how", "ins.cebolinhaburger.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://ins.aasscc.how/", "https://ins.cebolinhaburger.com/", "https://mahabeauties.com/", "https://spain.savasaachimarketingagency.com/", "https://trailblazermotors.com/", "https://designdrivendaily.com/", "https://housecomfortzone.com/", "https://oshti.org/", "https://swiftcoverhub.com/", "https://stonepromasters.com/", "https://app.freeconferencecall.com/", "https://homemuseblog.com/", "https://housecomfortmadeeasy.com/", "https://geosetmining.com/", "https://goodfamilyhometips.com/", "https://nextgenmotoring.com/", "https://objectifdktv.com/", "https://carmaintenanceanddiymechanics.com/", "https://cozylivingrevamp.com/", "https://efficientlivingathome.com/", "https://energyefficiencyandsmarthomes.com/", "https://610sportsradio.net/", "https://allstartsealing.com/", "https://barbieworldspa.com/", "https://bnbnow.net/", "https://canadianautodetailing.ca/", "https://upgradedhomeflow.com/", "https://yourcompanymanualforretention.com/", "https://yourscalingstrategy.com/", "https://140.82.6.184/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DnsEvents`	Ensure this data connector is enabled
`UrlClickEvents`	Ensure this data connector is enabled

References

ThreatFox — Vidar

False Positive Guidance

Scenario: Legitimate scheduled job for system cleanup using CCleaner
Filter/Exclusion: Exclude processes associated with ccleaner.exe or CCleaner.exe from the detection logic.
Scenario: Administrative task involving PowerShell script for log rotation or backup
Filter/Exclusion: Exclude processes initiated by powershell.exe with command-line arguments containing logrotate, backup, or rotate.
Scenario: Use of Windows Task Scheduler to run a legitimate maintenance script
Filter/Exclusion: Exclude processes launched by the Task Scheduler (schtasks.exe) or with the Task Scheduler service context.
Scenario: Legitimate use of Sysmon (Microsoft Syslog Monitor) for monitoring system activity
Filter/Exclusion: Exclude processes related to sysmon.exe or any known Sysmon tool binaries.
Scenario: Use of Logon Script to deploy software or configure settings on user endpoints
Filter/Exclusion: Exclude processes initiated during user logon with logonscript or userinit.exe context.