The ThreatFox: Vidar IOCs rule detects potential data exfiltration activity by Vidar malware, which is commonly delivered through phishing emails and communicates with command-and-control servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential theft and sensitive data leakage early.
IOC Summary
Malware Family: Vidar Total IOCs: 4 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | bigblower.click | botnet_cc | 2026-05-29 | 50% |
| domain | winsm188.top | botnet_cc | 2026-05-29 | 50% |
| domain | xax.depansm188.top | botnet_cc | 2026-05-28 | 100% |
| url | hxxps://xax.depansm188.top/ | botnet_cc | 2026-05-28 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["bigblower.click", "winsm188.top", "xax.depansm188.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://xax.depansm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A scheduled job using PowerShell or Task Scheduler runs a script that communicates with an internal server for log collection or system monitoring.
Filter/Exclusion: Check for ProcessName containing “powershell.exe” or “taskhost.exe” and filter by internal IP ranges or known internal domains.
Scenario: Admin Access via Remote Desktop (RDP)
Description: An administrator uses Remote Desktop Protocol (RDP) to access a remote server and performs maintenance tasks, which may result in outbound traffic to a remote management server.
Filter/Exclusion: Filter by User-Agent or Source IP of known admin workstations, or check for ProcessName like “mstsc.exe” or “rdp.exe”.
Scenario: Software Update via Microsoft Intune
Description: A Microsoft Intune update process initiates outbound traffic to Microsoft servers to download and deploy patches or configuration profiles.
Filter/Exclusion: Filter by Destination IP or Domain such as *.microsoft.com, or check for ProcessName like “msiexec.exe” or “intunewin.exe”.
Scenario: Data Backup to Cloud Storage
Description: A backup tool such as Veeam or Commvault uploads data to a cloud storage service like AWS S3 or Azure Blob Storage.
Filter/Exclusion: Filter by Destination Domain (e.g., *.aws.com, *.azure.com) or check for ProcessName like “veeam.exe” or “commvault.exe”.
Scenario: Internal Monitoring Tool Communication
Description: A SIEM tool such as Splunk or ELK Stack sends logs to a