Rule to detect Viking Order Botnet.

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Viking Order Botnet activity through suspicious network behavior indicative of command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they escalate into larger-scale attacks.

YARA Rule

rule VikingBotnet
{
	meta:
	  author = "https://twitter.com/koodous_project"
		description = "Rule to detect Viking Order Botnet."
		sample = "85e6d5b3569e5b22a16245215a2f31df1ea3a1eb4d53b4c286a6ad2a46517b0c"

	strings:
		$a = "cv7obBkPVC2pvJmWSfHzXh"
		$b = "http://joyappstech.biz:11111/knock/"
		$c = "I HATE TESTERS onGlobalLayout"
		$d = "http://144.76.70.213:7777/ecspectapatronum/"
		
	condition:
		($a and $c) or ($b and $d) 
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a Windows Task Scheduler job that runs viking.exe as part of a routine cleanup or patching process.
  Filter/Exclusion: Check for process.parent_process containing taskhost.exe or schtasks.exe, and filter out processes with process.name equal to viking.exe when the parent is a known task scheduler process.

• Scenario: Admin Using Viking for Network Monitoring
  Description: A network administrator is using a tool named “Viking” (not the botnet) for network traffic analysis or packet capture.
  Filter/Exclusion: Filter out processes where process.user is a known admin account (e.g., Administrator) and process.name is viking.exe with process.command_line containing --monitor or --capture.

• Scenario: Legacy Software Compatibility Check
  Description: A legacy application or compatibility tool is using viking.exe to test system compatibility or run old scripts.
  Filter/Exclusion: Exclude processes where process.path contains known legacy directories (e.g., C:\LegacyTools\) or where process.command_line includes --compatibility or --test.

• Scenario: CI/CD Pipeline Job Execution
  Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is executing a script that uses viking.exe as part of a build or deployment process.
  Filter/Exclusion: Filter out processes where process.parent_process is a known CI/CD agent (e.g., jenkins.exe, gitlab-runner.exe) or where process.command_line includes --ci or --build.

• Scenario: Security Tool for Threat Hunting
  *