The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or operational disruption.
IOC Summary
Malware Family: Vidar Total IOCs: 121 IOC Types: ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 176[.]9[.]29[.]205:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 88[.]198[.]103[.]90:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 178[.]63[.]30[.]48:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 88[.]198[.]103[.]91:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 178[.]63[.]30[.]143:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 178[.]63[.]30[.]62:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 88[.]198[.]103[.]95:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 88[.]198[.]103[.]92:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 178[.]63[.]30[.]34:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 88[.]198[.]103[.]93:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 88[.]198[.]103[.]94:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 88[.]198[.]103[.]88:443 | botnet_cc | 2026-05-11 | 100% |
| ip:port | 88[.]198[.]103[.]89:443 | botnet_cc | 2026-05-11 | 100% |
| domain | ehj.loniluekegerman.com | botnet_cc | 2026-05-11 | 100% |
| domain | mpd.loniluekegerman.com | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://88[.]198[.]103[.]88/ | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://176[.]9[.]29[.]205/ | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://88[.]198[.]103[.]90/ | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://178[.]63[.]30[.]48/ | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://178[.]63[.]30[.]34/ | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://88[.]198[.]103[.]93/ | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://88[.]198[.]103[.]94/ | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://178[.]63[.]30[.]143/ | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://178[.]63[.]30[.]62/ | botnet_cc | 2026-05-11 | 100% |
| url | hxxps://88[.]198[.]103[.]95/ | botnet_cc | 2026-05-11 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Vidar
let malicious_ips = dynamic(["178.63.30.62", "88.198.103.91", "88.198.103.90", "178.63.30.143", "178.63.30.34", "88.198.103.93", "88.198.103.89", "88.198.103.94", "88.198.103.92", "176.9.29.205", "88.198.103.95", "178.63.30.48", "88.198.103.88"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.63.30.62", "88.198.103.91", "88.198.103.90", "178.63.30.143", "178.63.30.34", "88.198.103.93", "88.198.103.89", "88.198.103.94", "88.198.103.92", "176.9.29.205", "88.198.103.95", "178.63.30.48", "88.198.103.88"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["ehj.loniluekegerman.com", "mpd.loniluekegerman.com", "lbs.xybcaap.my.id", "1net.ro", "1sttxreversemtg.com", "allstartsealing.com", "alnuric.org", "aplikasigerhanatoto1.com", "av-automotive.be", "ayuntamientodeyecora.com", "b2b.castorsunglasses.es", "belindabuck.com", "berylsegerschronicles.com.au", "biopelletuab.com", "boilermill.com.br", "buktijpilmu.com", "centralathleticfoundation.com", "ciphercodersweb.com", "cofeusa.com", "columbusisles.com", "compraway.com", "copierondemand.com", "dipfeed.com", "diversidadecatolica.com.br", "drisdellehomes.com", "easttechnicalstudio.com", "eltransistorgranada.com", "energyarts.com.br", "foresightedtech.com", "gazaltours.com", "goldenlifemanor.com", "greyandbold.com", "gustavogorriaran.com.uy", "heachang.com", "hijamawala.co.uk", "hudaaldosari.com", "hzarchitects.com", "ianvance.co.uk", "ideaverdegolf.com", "infodehrifcam.com", "inspiredassistance.com", "jeepbastard.com", "jessicaassociates.com", "josdream.com", "kawamawidows.org", "kkg-wehofen.com", "ktgafurov.com", "lamusedurres.com", "laforetfestas.com.br", "lifemagazine.nl"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://88.198.103.88/", "https://176.9.29.205/", "https://88.198.103.90/", "https://178.63.30.48/", "https://178.63.30.34/", "https://88.198.103.93/", "https://88.198.103.94/", "https://178.63.30.143/", "https://178.63.30.62/", "https://88.198.103.95/", "https://88.198.103.92/", "https://ehj.loniluekegerman.com/", "https://mpd.loniluekegerman.com/", "https://88.198.103.89/", "https://88.198.103.91/", "https://steamcommunity.com/profiles/76561198706525776", "https://telegram.me/b9te3i", "https://aeroflexsealing.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task runs a script that uses a tool like PsExec or Task Scheduler to perform routine system maintenance, which coincidentally matches one of the Vidar IOCs.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler service or those with a known legitimate script path (e.g., C:\Windows\System32\ or C:\Program Files\).
Scenario: Admin using Cobalt Strike for red team exercises
Description: A security team member is using Cobalt Strike for a red team simulation, and the tool’s execution or network activity matches Vidar IOCs.
Filter/Exclusion: Exclude processes originating from a known red team lab environment or those with a user context matching the security team’s admin group.
Scenario: Legitimate use of PowerShell for log analysis
Description: A system administrator uses PowerShell scripts (e.g., PowerShell.exe) to analyze logs, and the script’s command line arguments or output match Vidar IOCs.
Filter/Exclusion: Exclude processes with a command line containing Get-EventLog, Get-Log, or other log analysis commands, or those running under a known admin account.
Scenario: Antivirus or EDR tool scanning for malware
Description: An endpoint detection and response (EDR) tool like CrowdStrike or Microsoft Defender performs a scan and generates network traffic that matches Vidar IOCs.
Filter/Exclusion: Exclude processes with a parent process known to be an EDR or antivirus tool (e.g., mpsvc.exe, falcon.exe, or MsMpEng.exe).
Scenario: Legitimate use of a third-party backup tool
Description: A backup tool like Veeam or Acronis