The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, leveraging known indicators of compromise to identify malicious network traffic and file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that leverage Vidar for data exfiltration and command and control operations.
IOC Summary
Malware Family: Vidar Total IOCs: 34 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://reconciliarspaterapeutico.com.br/ | payload_delivery | 2026-06-09 | 75% |
| url | hxxps://championscollision1.com/ | payload_delivery | 2026-06-09 | 75% |
| url | hxxps://nxx.glamisdunesrentals.com/ | botnet_cc | 2026-06-09 | 100% |
| domain | nxx.glamisdunesrentals.com | botnet_cc | 2026-06-09 | 100% |
| url | hxxps://nxx.gagahsm188.top/ | botnet_cc | 2026-06-09 | 100% |
| domain | nxx.gagahsm188.top | botnet_cc | 2026-06-09 | 100% |
| url | hxxps://chtreeandgardenservices.co.uk/ | payload_delivery | 2026-06-09 | 75% |
| domain | alpinecamping.com | payload_delivery | 2026-06-09 | 100% |
| domain | anascopr.net | payload_delivery | 2026-06-09 | 100% |
| domain | associationaudrey.fr | payload_delivery | 2026-06-09 | 100% |
| domain | attyx.com | payload_delivery | 2026-06-09 | 100% |
| domain | blossomforth13.com | payload_delivery | 2026-06-09 | 100% |
| domain | cnefa-dz.com | payload_delivery | 2026-06-09 | 100% |
| domain | dbdideasturisticas.com | payload_delivery | 2026-06-09 | 100% |
| domain | donnasalado.com | payload_delivery | 2026-06-09 | 100% |
| domain | doorsec-dubai.com | payload_delivery | 2026-06-09 | 100% |
| domain | drelectricia.com | payload_delivery | 2026-06-09 | 100% |
| domain | elledisistemi.it | payload_delivery | 2026-06-09 | 100% |
| domain | extrasegovia.es | payload_delivery | 2026-06-09 | 100% |
| domain | homeenergyremodeling.com | payload_delivery | 2026-06-09 | 100% |
| domain | jeffreykamenarchitect.com | payload_delivery | 2026-06-09 | 100% |
| domain | noscalpelvasectomy.com | payload_delivery | 2026-06-09 | 100% |
| domain | osteoporoza.si | payload_delivery | 2026-06-09 | 100% |
| domain | raicesconsultoria.cl | payload_delivery | 2026-06-09 | 100% |
| domain | realsproject.org | payload_delivery | 2026-06-09 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["nxx.glamisdunesrentals.com", "nxx.gagahsm188.top", "alpinecamping.com", "anascopr.net", "associationaudrey.fr", "attyx.com", "blossomforth13.com", "cnefa-dz.com", "dbdideasturisticas.com", "donnasalado.com", "doorsec-dubai.com", "drelectricia.com", "elledisistemi.it", "extrasegovia.es", "homeenergyremodeling.com", "jeffreykamenarchitect.com", "noscalpelvasectomy.com", "osteoporoza.si", "raicesconsultoria.cl", "realsproject.org", "santacruzwebdesign.co", "sharonneedles.com", "soundsnatural.co.za", "swojem.pl", "thellio.com", "theshipsproject.com", "upstarthr.com", "vitolilandscapedesign.com", "wholefoodplantbasedrd.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://reconciliarspaterapeutico.com.br/", "https://championscollision1.com/", "https://nxx.glamisdunesrentals.com/", "https://nxx.gagahsm188.top/", "https://chtreeandgardenservices.co.uk/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that matches one of the Vidar IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "powershell.exe" OR (process.command_line NOT LIKE '%Cleanup%' AND process.command_line NOT LIKE '%Maintenance%')
Scenario: Admin Performing Disk Cleanup
Description: An administrator uses a tool like Disk Cleanup or CCleaner which may have a file or registry key that matches a Vidar IOC.
Filter/Exclusion: process.name != "cleanmgr.exe" AND process.name != "ccleaner.exe" AND file.name != "cleanmgr.exe" AND file.name != "ccleaner.exe"
Scenario: Legitimate PowerShell Script Execution
Description: A system administrator runs a legitimate PowerShell script (e.g., Invoke-Command) that includes a command or file path matching a Vidar IOC.
Filter/Exclusion: process.name != "powershell.exe" OR (process.command_line NOT LIKE '%Invoke-Command%' AND process.command_line NOT LIKE '%Get-ChildItem%')
Scenario: Antivirus or EDR Tool Scanning
Description: A security tool like CrowdStrike or Microsoft Defender performs a scan and generates a file or registry entry that matches a Vidar IOC.
Filter/Exclusion: process.name != "mpcmdrun.exe" AND process.name != "msmpeng.exe" AND process.name != "CrowdStrike.exe"
Scenario: Backup or Sync Tool Activity
Description: A backup tool like Veeam or SyncBack uses a file or command that coincidentally matches a Vidar IOC.