Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/Vidar Malware Evades Detection by Hiding Payloads in JPEG and TXT Files
Threats

Vidar Malware Evades Detection by Hiding Payloads in JPEG and TXT Files

Key Takeaways The Vidar info-stealer has evolved its evasion tactics, now embedding second-stage payloads within seemingly innocuous JPEG image and TXT document files. This advanced technique,...

David kimber
David kimber
April 27, 2026 4 Min Read
40 0

Key Takeaways

  • The Vidar info-stealer has evolved its evasion tactics, now embedding second-stage payloads within seemingly innocuous JPEG image and TXT document files.
  • This advanced technique, observed in 2026, allows Vidar to bypass traditional security detections by leveraging non-executable file formats and in-memory execution.
  • The malware targets a broad range of sensitive data, including over 200 browser extensions, cryptocurrency wallets (MetaMask, Phantom, Coinbase Wallet), and popular password managers (Bitwarden, LastPass, KeePass).
  • Infection typically begins via malicious Go-compiled droppers distributed through fake GitHub repositories, compromised WordPress sites, and deceptive CAPTCHA pages.

Vidar Malware Adopts Sophisticated Evasion by Embedding Payloads in Image and Text Files

In a significant development for cybersecurity, Vidar, a persistent and highly active information-stealing malware, has upgraded its evasion capabilities. Analysis conducted in 2026 reveals that the latest iteration of Vidar now conceals its critical second-stage payloads within ordinary JPEG images and TXT documents. This strategic shift makes the malware considerably more challenging for conventional security solutions to detect and neutralize.

Table Of Content

  • Key Takeaways
  • Vidar Malware Adopts Sophisticated Evasion by Embedding Payloads in Image and Text Files
  • The Evolution of Vidar
  • Widespread Distribution and Impact
  • Infection Mechanism: How Vidar Executes Through Staged File Delivery
  • What You Should Do

This evolution represents a pivotal change in Vidar’s operational methodology, impacting how it infiltrates systems and exfiltrates sensitive user data globally.

The Evolution of Vidar

First surfacing in 2018 as a basic credential stealer built upon the Arkei framework, Vidar has undergone substantial transformation. By 2026, it has matured into a sophisticated Malware-as-a-Service (MaaS) offering, incorporating multi-stage delivery mechanisms and utilizing social media platforms like Telegram for command-and-control (C2) communications. The malware’s capabilities now extend far beyond simple password theft, executing entire infection chains directly within a computer’s memory, thereby minimizing forensic traces on compromised systems.

Researchers Kedar Shashikant Pandit and Prathamesh Shingare from the Lat61 Threat Intelligence Team at Point Wild were instrumental in identifying this new variant. Their comprehensive findings, published on April 24, 2026, detail the full infection lifecycle, from initial compromise to data exfiltration.

Their investigation highlighted Vidar’s reliance on obfuscated scripts, legitimate Windows utilities, and a staged delivery approach that leverages non-executable file types to remain undetected by security software.

Widespread Distribution and Impact

Vidar campaigns employ diverse entry vectors. Malicious Go-compiled droppers are frequently distributed through counterfeit GitHub repositories, which are often disguised as legitimate developer tools or leaked software. Additionally, compromised WordPress websites and deceptive CAPTCHA pages, known as ClickFix pages, trick users into executing Windows commands that initiate the infection sequence.

The gaming community is also a prime target, with threat actors distributing fake cheat tool repositories on platforms such as GitHub, Discord, and Reddit. Users on these platforms may be more inclined to overlook security warnings in pursuit of in-game advantages, making them vulnerable.

The scope of Vidar’s impact is extensive. It actively targets over 200 browser extensions, including popular cryptocurrency wallets like MetaMask, Phantom, and Coinbase Wallet. Furthermore, it aims at password managers such as Bitwarden, LastPass, and KeePass. This broad targeting extends beyond basic credential theft, posing significant risks of financial loss and large-scale data breaches for both individuals and organizations.

Infection Mechanism: How Vidar Executes Through Staged File Delivery

The infection process begins with a Go-compiled dropper binary, serving as the initial entry point. The use of Go, a language less commonly associated with malware, helps the sample evade detection by many legacy security tools.

Upon execution, the dropper deploys a VBScript file, named ewccbqtllunx.vbs, into the Windows Temp directory.

This VBScript first performs an anti-sandbox check. If a sandbox environment is detected, the script terminates immediately. If not, it constructs and executes an obfuscated PowerShell command within a hidden window.

The PowerShell script then establishes a TLS 1.2 connection to a remote IP address, specifically 62.60.226.200, to download a file named 160066.jpg.

While appearing as a standard image file, 160066.jpg contains a hidden Base64-encoded payload embedded between custom markers, “BASE64_START” and “BASE64_END”. The malware identifies these markers, extracts the encoded content, decodes it entirely in memory, and then loads the result as a .NET assembly without writing it to disk.

Subsequently, a second request retrieves KGVn4OY.txt from the same server. This text file contains reversed and obfuscated Base64 content. The malware reverses the string, removes junk characters, decodes the result, and executes it in memory.

The final payload is a 64-bit C++ executable, protected by a crypter that resolves Windows API calls dynamically at runtime to further complicate detection.

What You Should Do

  • Block Outbound Connections: Implement firewall rules to block outbound connections to direct IP-based HTTP/HTTPS endpoints, especially those not associated with known legitimate services.
  • Monitor Process Chains: Enhance monitoring for suspicious WScript and PowerShell process spawn chains, particularly those initiating network connections or loading modules in memory.
  • Restrict RegAsm.exe: Limit the execution of RegAsm.exe to only signed and verified processes. Unauthorized use of this tool can indicate malicious activity.
  • Audit Startup Folders: Regularly audit the contents of user and system startup folders for any unauthorized modifications or the presence of unfamiliar scripts or executables.
  • Educate Users: Conduct regular security awareness training to educate users about the dangers of downloading software from unofficial sources, clicking suspicious links, or interacting with deceptive CAPTCHA pages.
  • Implement Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting in-memory attacks and behavioral anomalies that bypass traditional signature-based antivirus.
  • Backup Data: Maintain regular, secure backups of all critical data to facilitate recovery in the event of a successful compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Best Network Detection and Response (NDR) Solutions of 2024

Next Post

Critical CODESYS Vulnerabilities Let Attackers Backdoor PLCs

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us