The ThreatFox: Vidar IOCs rule detects potential command and control activity associated with the Vidar malware, leveraging known indicators to identify compromised hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that leverage Vidar for data exfiltration and persistence.
IOC Summary
Malware Family: Vidar Total IOCs: 6 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://sup.gasturbo88.top/ | botnet_cc | 2026-06-11 | 75% |
| domain | sup.gasturbo88.top | botnet_cc | 2026-06-11 | 75% |
| url | hxxps://bat.glamisdunesrentals.com/ | botnet_cc | 2026-06-10 | 75% |
| domain | bat.glamisdunesrentals.com | botnet_cc | 2026-06-10 | 75% |
| url | hxxps://bat.gagahsm188.top/ | botnet_cc | 2026-06-10 | 75% |
| domain | bat.gagahsm188.top | botnet_cc | 2026-06-10 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["sup.gasturbo88.top", "bat.glamisdunesrentals.com", "bat.gagahsm188.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://sup.gasturbo88.top/", "https://bat.glamisdunesrentals.com/", "https://bat.gagahsm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude files with the taskname field containing “SystemMaintenance” or “ScheduledTask”.
Scenario: Admin Using PowerShell for Log Analysis
Description: An admin uses PowerShell to analyze logs, and the command line matches a Vidar IOC due to similar syntax.
Filter/Exclusion: Exclude processes with processname equal to “powershell.exe” and user field matching admin accounts (e.g., “Administrator”).
Scenario: Regular File Integrity Monitoring (FIM) Check
Description: A FIM tool like Tripwire or Microsoft Advanced Threat Analytics (ATA) checks file hashes, which may match Vidar IOC hashes.
Filter/Exclusion: Exclude events where the file_hash field is associated with known FIM tools or enterprise hash databases.
Scenario: Legitimate Use of Wazuh Agent for Monitoring
Description: The Wazuh agent uses a script that includes a command line similar to a Vidar IOC.
Filter/Exclusion: Exclude events where the processname is “wazuh-agent” or the source field is “Wazuh”.
Scenario: Use of Windows Task Scheduler for Automated Reports
Description: A Windows Task Scheduler job runs a script that includes a command line matching a Vidar IOC.
Filter/Exclusion: Exclude events where the taskname field contains “ReportGenerator” or “AutomatedReport”.