Vidar Malware Evades Detection by Hiding Payloads in JPEG and TXT Files
Key Takeaways The Vidar info-stealer has evolved its evasion tactics, now embedding second-stage payloads within seemingly innocuous JPEG image and TXT document files. This advanced technique,...
Key Takeaways
- The Vidar info-stealer has evolved its evasion tactics, now embedding second-stage payloads within seemingly innocuous JPEG image and TXT document files.
- This advanced technique, observed in 2026, allows Vidar to bypass traditional security detections by leveraging non-executable file formats and in-memory execution.
- The malware targets a broad range of sensitive data, including over 200 browser extensions, cryptocurrency wallets (MetaMask, Phantom, Coinbase Wallet), and popular password managers (Bitwarden, LastPass, KeePass).
- Infection typically begins via malicious Go-compiled droppers distributed through fake GitHub repositories, compromised WordPress sites, and deceptive CAPTCHA pages.
Vidar Malware Adopts Sophisticated Evasion by Embedding Payloads in Image and Text Files
In a significant development for cybersecurity, Vidar, a persistent and highly active information-stealing malware, has upgraded its evasion capabilities. Analysis conducted in 2026 reveals that the latest iteration of Vidar now conceals its critical second-stage payloads within ordinary JPEG images and TXT documents. This strategic shift makes the malware considerably more challenging for conventional security solutions to detect and neutralize.
Table Of Content
This evolution represents a pivotal change in Vidar’s operational methodology, impacting how it infiltrates systems and exfiltrates sensitive user data globally.
The Evolution of Vidar
First surfacing in 2018 as a basic credential stealer built upon the Arkei framework, Vidar has undergone substantial transformation. By 2026, it has matured into a sophisticated Malware-as-a-Service (MaaS) offering, incorporating multi-stage delivery mechanisms and utilizing social media platforms like Telegram for command-and-control (C2) communications. The malware’s capabilities now extend far beyond simple password theft, executing entire infection chains directly within a computer’s memory, thereby minimizing forensic traces on compromised systems.
Researchers Kedar Shashikant Pandit and Prathamesh Shingare from the Lat61 Threat Intelligence Team at Point Wild were instrumental in identifying this new variant. Their comprehensive findings, published on April 24, 2026, detail the full infection lifecycle, from initial compromise to data exfiltration.
Their investigation highlighted Vidar’s reliance on obfuscated scripts, legitimate Windows utilities, and a staged delivery approach that leverages non-executable file types to remain undetected by security software.
Widespread Distribution and Impact
Vidar campaigns employ diverse entry vectors. Malicious Go-compiled droppers are frequently distributed through counterfeit GitHub repositories, which are often disguised as legitimate developer tools or leaked software. Additionally, compromised WordPress websites and deceptive CAPTCHA pages, known as ClickFix pages, trick users into executing Windows commands that initiate the infection sequence.
The gaming community is also a prime target, with threat actors distributing fake cheat tool repositories on platforms such as GitHub, Discord, and Reddit. Users on these platforms may be more inclined to overlook security warnings in pursuit of in-game advantages, making them vulnerable.
The scope of Vidar’s impact is extensive. It actively targets over 200 browser extensions, including popular cryptocurrency wallets like MetaMask, Phantom, and Coinbase Wallet. Furthermore, it aims at password managers such as Bitwarden, LastPass, and KeePass. This broad targeting extends beyond basic credential theft, posing significant risks of financial loss and large-scale data breaches for both individuals and organizations.
Infection Mechanism: How Vidar Executes Through Staged File Delivery
The infection process begins with a Go-compiled dropper binary, serving as the initial entry point. The use of Go, a language less commonly associated with malware, helps the sample evade detection by many legacy security tools.
Upon execution, the dropper deploys a VBScript file, named ewccbqtllunx.vbs, into the Windows Temp directory.
This VBScript first performs an anti-sandbox check. If a sandbox environment is detected, the script terminates immediately. If not, it constructs and executes an obfuscated PowerShell command within a hidden window.
The PowerShell script then establishes a TLS 1.2 connection to a remote IP address, specifically 62.60.226.200, to download a file named 160066.jpg.
While appearing as a standard image file, 160066.jpg contains a hidden Base64-encoded payload embedded between custom markers, “BASE64_START” and “BASE64_END”. The malware identifies these markers, extracts the encoded content, decodes it entirely in memory, and then loads the result as a .NET assembly without writing it to disk.
Subsequently, a second request retrieves KGVn4OY.txt from the same server. This text file contains reversed and obfuscated Base64 content. The malware reverses the string, removes junk characters, decodes the result, and executes it in memory.
The final payload is a 64-bit C++ executable, protected by a crypter that resolves Windows API calls dynamically at runtime to further complicate detection.
What You Should Do
- Block Outbound Connections: Implement firewall rules to block outbound connections to direct IP-based HTTP/HTTPS endpoints, especially those not associated with known legitimate services.
- Monitor Process Chains: Enhance monitoring for suspicious WScript and PowerShell process spawn chains, particularly those initiating network connections or loading modules in memory.
- Restrict RegAsm.exe: Limit the execution of
RegAsm.exeto only signed and verified processes. Unauthorized use of this tool can indicate malicious activity. - Audit Startup Folders: Regularly audit the contents of user and system startup folders for any unauthorized modifications or the presence of unfamiliar scripts or executables.
- Educate Users: Conduct regular security awareness training to educate users about the dangers of downloading software from unofficial sources, clicking suspicious links, or interacting with deceptive CAPTCHA pages.
- Implement Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting in-memory attacks and behavioral anomalies that bypass traditional signature-based antivirus.
- Backup Data: Maintain regular, secure backups of all critical data to facilitate recovery in the event of a successful compromise.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.