The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise organizational data integrity and confidentiality.
IOC Summary
Malware Family: Vidar Total IOCs: 46 IOC Types: url, ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://yan.chadasvendas.com/ | botnet_cc | 2026-05-18 | 100% |
| url | hxxps://yan[.]4k-stream.site/ | botnet_cc | 2026-05-18 | 100% |
| domain | yan.chadasvendas.com | botnet_cc | 2026-05-18 | 100% |
| domain | yan[.]4k-stream.site | botnet_cc | 2026-05-18 | 100% |
| ip:port | 95[.]217[.]63[.]87:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 95[.]216[.]123[.]224:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 95[.]216[.]103[.]169:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 95[.]216[.]103[.]168:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 95[.]216[.]103[.]173:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 95[.]216[.]103[.]175:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 95[.]216[.]103[.]170:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 95[.]216[.]103[.]172:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 135[.]181[.]126[.]151:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 95[.]216[.]103[.]171:443 | botnet_cc | 2026-05-18 | 100% |
| domain | pti[.]4k-stream.site | botnet_cc | 2026-05-18 | 100% |
| domain | tra[.]4k-stream.site | botnet_cc | 2026-05-18 | 100% |
| domain | pdf[.]4k-stream.site | botnet_cc | 2026-05-18 | 100% |
| domain | pgo.hearchrisnow.com | botnet_cc | 2026-05-18 | 100% |
| domain | pti.chadasvendas.com | botnet_cc | 2026-05-18 | 100% |
| domain | tra.chadasvendas.com | botnet_cc | 2026-05-18 | 100% |
| domain | pdf.chadasvendas.com | botnet_cc | 2026-05-18 | 100% |
| domain | pgo.chadasvendas.com | botnet_cc | 2026-05-18 | 100% |
| url | hxxps://95[.]216[.]103[.]170/ | botnet_cc | 2026-05-18 | 100% |
| url | hxxps://95[.]216[.]103[.]172/ | botnet_cc | 2026-05-18 | 100% |
| url | hxxps://135[.]181[.]126[.]151/ | botnet_cc | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["95.216.103.169", "95.216.123.224", "135.181.126.151", "95.216.103.175", "95.217.63.87", "95.216.103.172", "95.216.103.173", "95.216.103.168", "95.216.103.170", "95.216.103.171"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["95.216.103.169", "95.216.123.224", "135.181.126.151", "95.216.103.175", "95.217.63.87", "95.216.103.172", "95.216.103.173", "95.216.103.168", "95.216.103.170", "95.216.103.171"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["yan.chadasvendas.com", "yan.4k-stream.site", "pti.4k-stream.site", "tra.4k-stream.site", "pdf.4k-stream.site", "pgo.hearchrisnow.com", "pti.chadasvendas.com", "tra.chadasvendas.com", "pdf.chadasvendas.com", "pgo.chadasvendas.com", "cra.4k-stream.site", "cra.chadasvendas.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://yan.chadasvendas.com/", "https://yan.4k-stream.site/", "https://95.216.103.170/", "https://95.216.103.172/", "https://135.181.126.151/", "https://95.216.103.171/", "https://95.217.63.87/", "https://95.216.123.224/", "https://95.216.103.169/", "https://95.216.103.168/", "https://95.216.103.173/", "https://95.216.103.175/", "https://pgo.hearchrisnow.com/", "https://pti.chadasvendas.com/", "https://tra.chadasvendas.com/", "https://pdf.chadasvendas.com/", "https://pgo.chadasvendas.com/", "https://steamcommunity.com/profiles/76561198703616215", "https://telegram.me/jr00ve", "https://pti.4k-stream.site/", "https://tra.4k-stream.site/", "https://pdf.4k-stream.site/", "https://cra.chadasvendas.com/", "https://cra.4k-stream.site/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes related to Veeam or VeeamBackup using the process.name field.
Example Filter: process.name != "VeeamBackup.exe"
Scenario: Admin task to update Microsoft Endpoint Protection definitions
Filter/Exclusion: Exclude processes associated with MpCmdRun.exe or Microsoft Defender using the process.name field.
Example Filter: process.name != "MpCmdRun.exe"
Scenario: Legitimate use of PowerShell for automated log analysis
Filter/Exclusion: Exclude PowerShell scripts executed from known trusted locations, such as C:\Windows\System32\WindowsPowerShell\v1.0\ or specific user directories.
Example Filter: process.command_line contains "powershell.exe" and process.directory contains "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\"
Scenario: Use of Windows Task Scheduler to run maintenance scripts
Filter/Exclusion: Exclude tasks scheduled by the Task Scheduler service using the process.parent.name field.
Example Filter: process.parent.name != "TaskScheduler" or process.parent.name != "svchost.exe" and process.parent.name contains "TaskScheduler"
Scenario: Deployment of Microsoft Intune policy updates via Group Policy
Filter/Exclusion: Exclude processes related to Group Policy Client (GpClient or gpsvc) using the process.name field.
Example Filter: process.name != "GpClient.exe" and process.name != "gpsvc.exe"