Adversaries using Vidar may exfiltrate stolen credentials and sensitive data through unusual outbound network traffic to command-and-control servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate data exfiltration early in the attack lifecycle.
IOC Summary
Malware Family: Vidar Total IOCs: 4 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | hwd.hidayahnetwork.com | botnet_cc | 2026-05-07 | 100% |
| url | hxxps://hwd.hidayahnetwork.com/ | botnet_cc | 2026-05-07 | 100% |
| url | hxxps://ann.hidayahnetwork.com/ | botnet_cc | 2026-05-07 | 100% |
| domain | ann.hidayahnetwork.com | botnet_cc | 2026-05-07 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["hwd.hidayahnetwork.com", "ann.hidayahnetwork.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://hwd.hidayahnetwork.com/", "https://ann.hidayahnetwork.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system maintenance task
Description: A scheduled task using schtasks.exe or Task Scheduler is performing routine system updates or backups, which may involve outbound traffic to known infrastructure.
Filter/Exclusion: Exclude traffic initiated by schtasks.exe or tasks with a known name like “Windows Update” or “BackupJob”.
Scenario: Admin using PowerShell for remote management
Description: A system administrator is using PowerShell (powershell.exe) to remotely manage servers, which may result in outbound connections to internal management tools or cloud services.
Filter/Exclusion: Exclude connections originating from PowerShell scripts with known administrative tasks or from IP addresses within the organization’s internal network.
Scenario: Antivirus or EDR tool performing signature updates
Description: An endpoint protection tool like Microsoft Defender (MsMpEng.exe) or CrowdStrike (csc.exe) is updating its threat intelligence database, which may involve outbound traffic to known IOC domains.
Filter/Exclusion: Exclude traffic from known antivirus processes or from domains associated with threat intelligence update services.
Scenario: Legitimate software update or patch deployment
Description: A patch management tool like Microsoft Endpoint Configuration Manager (ccmexec.exe) or SCCM is deploying updates, which may involve outbound connections to Microsoft or vendor servers.
Filter/Exclusion: Exclude traffic from known patch management tools or to domains associated with software update services.
Scenario: User accessing external cloud storage for collaboration
Description: A user is accessing cloud storage (e.g., OneDrive, Google Drive) via a legitimate application like onedrive.exe or google-drive.exe, which may result in outbound traffic to cloud service endpoints.
Filter/Exclusion: Exclude traffic from known cloud storage applications or to domains associated with cloud collaboration services.