The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise organizational data integrity and confidentiality.
IOC Summary
Malware Family: Vidar Total IOCs: 12 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://xtr.awansm188.top/ | botnet_cc | 2026-05-27 | 100% |
| domain | xtr.matriculadores.com | botnet_cc | 2026-05-27 | 100% |
| url | hxxps://xtr.matriculadores.com/ | botnet_cc | 2026-05-27 | 100% |
| domain | xtr.awansm188.top | botnet_cc | 2026-05-27 | 100% |
| domain | booking-reservation-id.com | botnet_cc | 2026-05-27 | 100% |
| domain | photobookadm.pro | botnet_cc | 2026-05-27 | 100% |
| url | hxxps://maxi-vet.ru/ | payload_delivery | 2026-05-27 | 75% |
| domain | tto.awansm188.top | botnet_cc | 2026-05-26 | 100% |
| url | hxxps://tto.awansm188.top/ | botnet_cc | 2026-05-26 | 100% |
| domain | tto.matriculadores.com | botnet_cc | 2026-05-26 | 100% |
| url | hxxps://tto.matriculadores.com/ | botnet_cc | 2026-05-26 | 100% |
| url | hxxps://kdc-zarya.ru/ | payload_delivery | 2026-05-26 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["xtr.matriculadores.com", "xtr.awansm188.top", "booking-reservation-id.com", "photobookadm.pro", "tto.awansm188.top", "tto.matriculadores.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://xtr.awansm188.top/", "https://xtr.matriculadores.com/", "https://maxi-vet.ru/", "https://tto.awansm188.top/", "https://tto.matriculadores.com/", "https://kdc-zarya.ru/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude tasks with taskname containing “maintenance” or “sysmaint” and commandline containing schtasks.exe or scheduling.
Scenario: Admin Using PowerShell for Log Collection
Description: An admin uses PowerShell to collect logs, which may include commands or file paths that match Vidar IOC patterns.
Filter/Exclusion: Exclude processes with processname powershell.exe and commandline containing Get-EventLog, Export-CSV, or log in the path.
Scenario: Antivirus Quarantine Scan
Description: A security tool quarantines a file that matches the IOC pattern during a scan, leading to a false positive.
Filter/Exclusion: Exclude processes with processname avast.exe, bitdefender.exe, or avg.exe and commandline containing scan, quarantine, or delete.
Scenario: Backup Job Executing a Script
Description: A backup job runs a script that includes a file or command matching the IOC due to similar naming conventions.
Filter/Exclusion: Exclude processes with processname vssadmin.exe or wbadmin.exe and commandline containing backup, restore, or snapshot.
Scenario: User-Initiated File Transfer via SCP
Description: A user transfers a file using SCP that has a name or path similar to known Vidar IOCs.
Filter/Exclusion: Exclude processes with processname scp.exe or ssh.exe and commandline containing scp, transfer,