Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Linus Torvalds Clarifies Linux Kernel’s Stance on AI Development
July 17, 2026
7-Zip Critical Vulnerability Exposes Millions to Remote Code Execution
July 17, 2026
Two Hackers Jailed for Hacking 148 TfL Systems, Forcing 27,000 Staff Password Resets
July 17, 2026
Home/Threats/Vidar Malware Steals Browser Data, Crypto Wallets, and System Info
Threats

Vidar Malware Steals Browser Data, Crypto Wallets, and System Info

Key Takeaways The Vidar information stealer is actively being deployed through a sophisticated multi-stage loader campaign. Attackers are using what appears to be a legitimate software activation...

Marcus Rodriguez
Marcus Rodriguez
May 11, 2026 4 Min Read
64 0

Key Takeaways

  • The Vidar information stealer is actively being deployed through a sophisticated multi-stage loader campaign.
  • Attackers are using what appears to be a legitimate software activation tool to initiate the infection.
  • The malware targets browser data, cryptocurrency wallets, and system information, then executes a robust cleanup routine to evade detection.
  • LevelBlue researchers uncovered the campaign, highlighting advanced defense evasion techniques.

Vidar Stealer Resurfaces with Advanced Evasion Tactics

Vidar malware, an established information stealer active since late 2018, is once again a significant threat, now employing a highly sophisticated multi-stage loader to compromise systems. This persistent threat is engineered to pilfer sensitive data, including browser credentials, session cookies, cryptocurrency wallet files, and comprehensive system details.

Table Of Content

  • Key Takeaways
  • Vidar Stealer Resurfaces with Advanced Evasion Tactics
  • Multi-Stage Loader Campaign Uncovered by LevelBlue
  • How Vidar Steals Sensitive Data
  • Defense Evasion and Post-Attack Cleanup
  • What You Should Do
  • Indicators of Compromise (IoCs):-

Originally derived from the Arkei stealer’s source code, Vidar has evolved into a formidable and widely used commodity malware family. What distinguishes the current wave of Vidar activity is not merely its data exfiltration capabilities but the meticulous pre-deployment preparation by attackers, with each step in the infection chain designed to bypass security measures before the final payload is delivered.

Multi-Stage Loader Campaign Uncovered by LevelBlue

Researchers at LevelBlue identified this multi-stage loader campaign through proactive threat hunting within a client’s environment. Their analysis of endpoint telemetry and dynamic behavior revealed a complex sequence involving script masquerading, phased payload extraction, and command-and-control (C2) communications.

This discovery underscores a growing trend where well-known malware families are being integrated into increasingly intricate delivery mechanisms to broaden their reach and effectiveness. The initial entry point for these attacks often masquerades as a legitimate software activation tool, deceiving unsuspecting users into executing malicious code.

How Vidar Steals Sensitive Data

The infection typically commences with a commonly abused hack tool, such as “MicrosoftToolkit.exe.” Users are tricked into running this utility under the false pretense of activating legitimate software. This social engineering tactic reduces reliance on traditional phishing or software exploits, making the initial compromise more challenging for conventional security defenses to detect.

Upon execution, a disguised file named “Swingers.dot” is renamed to a batch script and then run, initiating a series of commands. The system first checks for active security processes, then extracts additional payload components, ultimately launching an AutoIt-compiled loader called “Replies.scr.” Subsequent outbound connections to Vidar-associated infrastructure confirm the successful deployment of the final payload, which then actively harvests data. Vidar specifically targets browser-stored credentials, saved session cookies, cryptocurrency wallet files, and general system information, enabling attackers to acquire substantial valuable data from even a single compromised machine.

The malware leverages public platforms such as Steam and Telegram for its command-and-control infrastructure, camouflaging its traffic as routine web activity. It constructs HTTP GET requests to retrieve configuration data from these platforms before proceeding with data exfiltration. DNS lookups were also observed resolving to gz.technicalprorj.xyz via public DNS servers, indicating the attackers’ use of dynamic infrastructure to evade blocklists.

Defense Evasion and Post-Attack Cleanup

A distinctive characteristic of this campaign is the thoroughness with which the malware eradicates its traces post-execution. After payload extraction and data exfiltration, “MicrosoftToolkit.exe” deletes all files it dropped during the infection process, resets file attributes, releases associated memory, and terminates its own process. This comprehensive cleanup significantly impedes forensic investigations and traditional incident response efforts.

Furthermore, the malware incorporates anti-analysis capabilities, checking for debuggers and security monitoring tools using low-level Windows functions. If an analysis environment is detected, Vidar can modify its behavior to avoid observation. This anti-analysis feature, combined with the extensive cleanup routine and the use of legitimate Windows tools throughout the attack chain, lends this campaign a moderate-to-high degree of sophistication, despite its reliance on a commodity stealer.

What You Should Do

  • Isolate Compromised Systems: Immediately disconnect any affected systems from the network to prevent further data loss and lateral movement.
  • Reimage Systems: Perform a full system reimage on compromised machines, as the malware can download additional payloads.
  • Reset Credentials: Reset all exposed credentials, including browser passwords, email accounts, VPN logins, and administrator accounts. Close all active sessions.
  • Implement Multi-Factor Authentication (MFA): Enforce MFA across all critical services and accounts to add an extra layer of security.
  • Monitor Network Traffic: Continuously monitor outbound network traffic and DNS queries for any unusual or suspicious connections.
  • Restrict Unauthorized Tools: Implement policies to restrict the execution of unauthorized software and tools on endpoints.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA256 fc27479ff929d846e7c5c5d147479c81e483a2ec911bd1501a53aa646a29620d MicrosoftToolkit.exe
SHA256 d4fe9f48178cdf375a3be30d17f1dc016b5861dff8683f0bb35a0ba8d44f892f swingers.dot.bat
SHA256 978ad86c90d85b74947bb627ec24f8bcd26812b500e82f5af202160506ac29c6 Beds.dot
SHA256 881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb replies.scr
SHA256 968ecf51c442ec0ff91f91689ac524e7e8e9eab0c1a2a65cf13e54cf95194efe D (payload file)
IP Address 149.154.167.99 Vidar-associated C2 IP
Domain telegram[.]me C2 domain
Domain gz[.]technicalprorj[.]xyz Vidar-associated C2 domain

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarephishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

JDownloader Vulnerability Exploited to Deliver Python RAT

Next Post

Google reCAPTCHA update blocks privacy-focused Android users

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
SonicWall SMA 1000 Zero-Day Actively Exploited
July 16, 2026
AI Penetration Testing Now Covers Retrieval Poisoning, Memory, and Sensor Attacks
July 16, 2026
Telegram 2FA Not Cracked, Attackers Hijack Logged-In Sessions
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us