The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise organizational data integrity and confidentiality.
IOC Summary
Malware Family: Vidar Total IOCs: 110 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://pts.loniluekegerman.com/ | botnet_cc | 2026-05-13 | 100% |
| url | hxxps://pts.chriskendall.media/ | botnet_cc | 2026-05-13 | 100% |
| domain | pts.loniluekegerman.com | botnet_cc | 2026-05-13 | 100% |
| domain | pts.chriskendall.media | botnet_cc | 2026-05-13 | 100% |
| url | hxxps://bos.loniluekegerman.com/ | botnet_cc | 2026-05-12 | 100% |
| domain | bos.loniluekegerman.com | botnet_cc | 2026-05-12 | 100% |
| domain | bos.chriskendall.media | botnet_cc | 2026-05-12 | 100% |
| url | hxxps://bos.chriskendall.media/ | botnet_cc | 2026-05-12 | 100% |
| domain | prt.loniluekegerman.com | botnet_cc | 2026-05-12 | 100% |
| url | hxxps://prt.loniluekegerman.com/ | botnet_cc | 2026-05-12 | 100% |
| domain | prt.chriskendall.media | botnet_cc | 2026-05-12 | 100% |
| url | hxxps://prt.chriskendall.media/ | botnet_cc | 2026-05-12 | 100% |
| domain | lekeitioikt.eus | payload_delivery | 2026-05-12 | 100% |
| domain | leafypage.com | payload_delivery | 2026-05-12 | 100% |
| domain | lengochuan.com | payload_delivery | 2026-05-12 | 100% |
| domain | lindabrasil.store | payload_delivery | 2026-05-12 | 100% |
| domain | linqr.info | payload_delivery | 2026-05-12 | 100% |
| domain | lionsclubs-ghana.org | payload_delivery | 2026-05-12 | 100% |
| domain | lisanslandiniz.com | payload_delivery | 2026-05-12 | 100% |
| domain | littleshutterhomes.com | payload_delivery | 2026-05-12 | 100% |
| domain | livewelltoday.site | payload_delivery | 2026-05-12 | 100% |
| domain | lmrentacar.com | payload_delivery | 2026-05-12 | 100% |
| domain | lnded.net | payload_delivery | 2026-05-12 | 100% |
| domain | lumyq.com | payload_delivery | 2026-05-12 | 100% |
| domain | luxehavenretrat.com | payload_delivery | 2026-05-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["pts.loniluekegerman.com", "pts.chriskendall.media", "bos.loniluekegerman.com", "bos.chriskendall.media", "prt.loniluekegerman.com", "prt.chriskendall.media", "lekeitioikt.eus", "leafypage.com", "lengochuan.com", "lindabrasil.store", "linqr.info", "lionsclubs-ghana.org", "lisanslandiniz.com", "littleshutterhomes.com", "livewelltoday.site", "lmrentacar.com", "lnded.net", "lumyq.com", "luxehavenretrat.com", "maddog-supply.com", "maidog.fr", "majestichomecare.nl", "manuelaguerra.com", "marmodelkaiser.com", "masakaschools.sc.tz", "massagebienetre-badia.fr", "matthewsbuildingadvisors.co.uk", "mdthomasconstructions.com", "meccabot.id", "mechanicalseals.co.za", "medinova.ng", "medoratechlabs.com", "medraa.com", "mesonandaluz.es", "mgo.vn", "michellebarton.love", "miohome.com.tw", "miraducksolutions.com", "missflocage.fr", "mlbodesign.com", "mnasalonsuites.com", "mosw.gov.sl", "motomorini.mg", "msg3d.com.br", "muqtasid.com", "mwcmetals.com", "myachtconsulting.com", "myhouseinspain.com", "mykonos-explorer.com", "mymedicarebasics.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://pts.loniluekegerman.com/", "https://pts.chriskendall.media/", "https://bos.loniluekegerman.com/", "https://bos.chriskendall.media/", "https://prt.loniluekegerman.com/", "https://prt.chriskendall.media/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches a Vidar IOC (e.g., a PowerShell script with a known hash).
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "services.exe"
Scenario: Admin Performing Disk Cleanup
Description: An admin uses a tool like DISM or Disk Cleanup that temporarily uses a file or registry key matching a Vidar IOC.
Filter/Exclusion: process.name != "dism.exe" or process.name != "cleanmgr.exe"
Scenario: Legitimate Log Collection via Logstash
Description: A log collection tool like Logstash or Filebeat is configured to use a script or path that matches a Vidar IOC.
Filter/Exclusion: process.name != "logstash.exe" or process.name != "filebeat"
Scenario: Software Update via Microsoft Intune
Description: A legitimate software update package (e.g., from Microsoft Intune) includes a file that matches a Vidar IOC due to a false positive hash.
Filter/Exclusion: process.name != "msiexec.exe" or file.hash != "known_good_hash"
Scenario: User-Initiated File Transfer via PowerShell
Description: A user transfers a file using PowerShell that has a hash matching a Vidar IOC, but the file is benign (e.g., a script for automation).
Filter/Exclusion: process.name != "powershell.exe" or user.name != "legitimate_user"