The detection identifies potential Vidar malware activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Vidar Total IOCs: 9 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://ggt.glamisrent.com/ | botnet_cc | 2026-06-12 | 75% |
| domain | ggt.glamisrent.com | botnet_cc | 2026-06-12 | 75% |
| url | hxxps://ggt.gerbongsm188.top/ | botnet_cc | 2026-06-12 | 75% |
| domain | ggt.gerbongsm188.top | botnet_cc | 2026-06-12 | 75% |
| domain | srv.turbo88ku.top | botnet_cc | 2026-06-12 | 100% |
| url | hxxps://puz.glamisrent.com/ | botnet_cc | 2026-06-12 | 100% |
| domain | puz.gerbongsm188.top | botnet_cc | 2026-06-12 | 100% |
| url | hxxps://puz.gerbongsm188.top/ | botnet_cc | 2026-06-12 | 100% |
| domain | puz.glamisrent.com | botnet_cc | 2026-06-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["ggt.glamisrent.com", "ggt.gerbongsm188.top", "srv.turbo88ku.top", "puz.gerbongsm188.top", "puz.glamisrent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://ggt.glamisrent.com/", "https://ggt.gerbongsm188.top/", "https://puz.glamisrent.com/", "https://puz.gerbongsm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running PowerShell scripts for system maintenance
Filter/Exclusion: Exclude processes initiated by schtasks.exe or with CommandLine containing powershell.exe -Command and system maintenance in the command.
Scenario: Admin using PowerShell to configure network settings via Group Policy
Filter/Exclusion: Exclude processes with CommandLine containing gpedit.msc or Group Policy in the command, and filter by user accounts with administrative privileges.
Scenario: Security tool (e.g., Microsoft Defender) performing a full system scan
Filter/Exclusion: Exclude processes with ProductName or FileVersionInfo indicating Microsoft Defender or Windows Defender, and filter by process names like MsMpEng.exe.
Scenario: Legitimate use of certutil to manage certificates on a Windows server
Filter/Exclusion: Exclude processes with CommandLine containing certutil -addstore or certutil -viewstore, and filter by user accounts with certificate management permissions.
Scenario: System update task using wuauclt.exe to check for Windows updates
Filter/Exclusion: Exclude processes with ProcessName wuauclt.exe or CommandLine containing wuauclt.exe /detectnow, and filter by scheduled task names related to Windows Update.