The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems and data.
IOC Summary
Malware Family: Vidar Total IOCs: 67 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://cyy.turbo88ml.top/ | botnet_cc | 2026-05-23 | 100% |
| domain | cyy.turbo88ml.top | botnet_cc | 2026-05-23 | 100% |
| domain | kalpa-logistics.com | payload_delivery | 2026-05-23 | 100% |
| domain | logisteg.com.br | payload_delivery | 2026-05-23 | 100% |
| domain | meastt.gov.tt | payload_delivery | 2026-05-23 | 100% |
| domain | namathejaljawdah.com | payload_delivery | 2026-05-23 | 100% |
| domain | narquitetos.com | payload_delivery | 2026-05-23 | 100% |
| domain | pinnaclebrit.co.uk | payload_delivery | 2026-05-23 | 100% |
| domain | pizzadoughrollers.ca | payload_delivery | 2026-05-23 | 100% |
| domain | rodrigooliveiracontabil.com.br | payload_delivery | 2026-05-23 | 100% |
| domain | salzhomecare.com | payload_delivery | 2026-05-23 | 100% |
| domain | seingetronic.com | payload_delivery | 2026-05-23 | 100% |
| domain | shimanto-kango.ac.jp | payload_delivery | 2026-05-23 | 100% |
| domain | southcoastflagging.com | payload_delivery | 2026-05-23 | 100% |
| domain | sunscapehills.com | payload_delivery | 2026-05-23 | 100% |
| domain | technocraft.fr | payload_delivery | 2026-05-23 | 100% |
| domain | cookingrt.com | payload_delivery | 2026-05-23 | 100% |
| domain | donmontero.pl | payload_delivery | 2026-05-23 | 100% |
| domain | fabiopischedda.it | payload_delivery | 2026-05-23 | 100% |
| domain | etokrol.lol | payload_delivery | 2026-05-23 | 100% |
| domain | govnol.lat | payload_delivery | 2026-05-23 | 100% |
| domain | myblobtop.site | payload_delivery | 2026-05-23 | 100% |
| domain | rpc-cloud.beer | botnet_cc | 2026-05-23 | 100% |
| domain | rpc-framework-check.cfd | botnet_cc | 2026-05-23 | 100% |
| domain | rpc-framework-check.click | botnet_cc | 2026-05-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["cyy.turbo88ml.top", "kalpa-logistics.com", "logisteg.com.br", "meastt.gov.tt", "namathejaljawdah.com", "narquitetos.com", "pinnaclebrit.co.uk", "pizzadoughrollers.ca", "rodrigooliveiracontabil.com.br", "salzhomecare.com", "seingetronic.com", "shimanto-kango.ac.jp", "southcoastflagging.com", "sunscapehills.com", "technocraft.fr", "cookingrt.com", "donmontero.pl", "fabiopischedda.it", "etokrol.lol", "govnol.lat", "myblobtop.site", "rpc-cloud.beer", "rpc-framework-check.cfd", "rpc-framework-check.click", "rpc-polygon.beer", "sdn-cloudflare-js-css.cfd", "sdn-cloudflare-js-css.click", "siteamnsserv.beer", "smnsdns.beer", "store-image.sbs", "store-image.shop", "styles-get-img.cfd", "testerlau.lat", "testhostrouter.onthewifi.com", "testsoryy.hopto.org", "vaer-cdn-3.sbs", "vblbs.beer", "vdsinatest.beer", "visual-ns-portal.beer", "winupdate.cfd", "winupdateconf.cfd", "workcdnmass.beer", "lsnsdns.beer", "lstyle-sdn.sbs", "lvlensourgat.sbs", "minecraft65server.3utilities.com", "minecraftserverapigame.xyz", "nascdn-js.click", "nascdn-js.life", "networksolutionson.sbs"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://cyy.turbo88ml.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known benign command-line arguments or scripts located in standard system directories like C:\Windows\System32\.
Scenario: System update or patching using Microsoft Endpoint Configuration Manager (MECM)
Filter/Exclusion: Exclude processes associated with ccmexec.exe or mpcmdrun.exe that are part of standard Windows Update or MECM operations.
Scenario: Admin task using PowerShell to generate logs or audit trails
Filter/Exclusion: Exclude PowerShell scripts executed by PowerShell.exe with the -Command flag and originating from trusted locations like C:\Windows\System32\WindowsPowerShell\v1.0\.
Scenario: Database backup using SQL Server Agent job
Filter/Exclusion: Exclude processes initiated by sqlagent.exe or sqlservr.exe that are part of scheduled SQL Server backup tasks.
Scenario: Network discovery or inventory scan using nmap or tcpdump
Filter/Exclusion: Exclude network scanning tools like nmap.exe or tcpdump.exe when executed by authorized security teams for network inventory purposes.