The ThreatFox: Vidar IOCs rule detects potential credential-stealing activity associated with the Vidar malware, which exfiltrates sensitive data and enables lateral movement within networks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data breaches and extended lateral movement.
IOC Summary
Malware Family: Vidar Total IOCs: 13 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://lands-end-coastguard.com/ | payload_delivery | 2026-05-20 | 75% |
| url | hxxps://bom.fazvende.com.br/ | botnet_cc | 2026-05-20 | 100% |
| url | hxxps://bom.tristans-tea.com/ | botnet_cc | 2026-05-20 | 100% |
| domain | bom.fazvende.com.br | botnet_cc | 2026-05-20 | 100% |
| domain | bom.tristans-tea.com | botnet_cc | 2026-05-20 | 100% |
| domain | wed.fazvende.com.br | botnet_cc | 2026-05-19 | 100% |
| url | hxxps://wed.fazvende.com.br/ | botnet_cc | 2026-05-19 | 100% |
| domain | wed.tristans-tea.com | botnet_cc | 2026-05-19 | 100% |
| url | hxxps://wed.tristans-tea.com/ | botnet_cc | 2026-05-19 | 100% |
| domain | rpi.fazvende.com | botnet_cc | 2026-05-19 | 100% |
| url | hxxps://rpi.fazvende.com/ | botnet_cc | 2026-05-19 | 100% |
| domain | rpi.tristans-tea.com | botnet_cc | 2026-05-19 | 100% |
| url | hxxps://rpi.tristans-tea.com/ | botnet_cc | 2026-05-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["bom.fazvende.com.br", "bom.tristans-tea.com", "wed.fazvende.com.br", "wed.tristans-tea.com", "rpi.fazvende.com", "rpi.tristans-tea.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://lands-end-coastguard.com/", "https://bom.fazvende.com.br/", "https://bom.tristans-tea.com/", "https://wed.fazvende.com.br/", "https://wed.tristans-tea.com/", "https://rpi.fazvende.com/", "https://rpi.tristans-tea.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using Vidar-Related Domains
Description: A scheduled job runs a script that connects to a domain known to be associated with Vidar for legitimate monitoring or testing purposes.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"schtasks.exe"
Scenario: Admin Using ThreatFox for IOC Validation
Description: A security analyst is manually checking known Vidar IOCs against ThreatFox to validate threat intelligence.
Filter/Exclusion: user.name:"Security Analyst" or process.name:"chrome.exe" AND process.args:"--remote-debugging-port"
Scenario: Legitimate Email Client Accessing Phishing-Related Domains
Description: An employee uses an email client (e.g., Microsoft Outlook) to access a domain that is part of a phishing campaign but is being used for legitimate email verification.
Filter/Exclusion: process.name:"outlook.exe" or process.name:"msoutlk.exe"
Scenario: Automated Security Tool Scanning for Known Malware
Description: A security tool like CrowdStrike Falcon or Microsoft Defender ATP is scanning the network and reporting Vidar-related domains as part of its threat intelligence integration.
Filter/Exclusion: process.name:"falcon.exe" or process.name:"mpsvc.exe"
Scenario: Legitimate Use of PowerShell for System Maintenance
Description: A system administrator uses PowerShell to perform routine maintenance tasks, and the script inadvertently references a domain or file that matches a Vidar IOC.
Filter/Exclusion: process.name:"powershell.exe" AND user.name:"Admin" or process.command_line:"-Command"