Vidar Malware Steals Browser Data, Crypto Wallets, and System Info
Key Takeaways The Vidar information stealer is actively being deployed through a sophisticated multi-stage loader campaign. Attackers are using what appears to be a legitimate software activation...
Key Takeaways
- The Vidar information stealer is actively being deployed through a sophisticated multi-stage loader campaign.
- Attackers are using what appears to be a legitimate software activation tool to initiate the infection.
- The malware targets browser data, cryptocurrency wallets, and system information, then executes a robust cleanup routine to evade detection.
- LevelBlue researchers uncovered the campaign, highlighting advanced defense evasion techniques.
Vidar Stealer Resurfaces with Advanced Evasion Tactics
Vidar malware, an established information stealer active since late 2018, is once again a significant threat, now employing a highly sophisticated multi-stage loader to compromise systems. This persistent threat is engineered to pilfer sensitive data, including browser credentials, session cookies, cryptocurrency wallet files, and comprehensive system details.
Table Of Content
Originally derived from the Arkei stealer’s source code, Vidar has evolved into a formidable and widely used commodity malware family. What distinguishes the current wave of Vidar activity is not merely its data exfiltration capabilities but the meticulous pre-deployment preparation by attackers, with each step in the infection chain designed to bypass security measures before the final payload is delivered.
Multi-Stage Loader Campaign Uncovered by LevelBlue
Researchers at LevelBlue identified this multi-stage loader campaign through proactive threat hunting within a client’s environment. Their analysis of endpoint telemetry and dynamic behavior revealed a complex sequence involving script masquerading, phased payload extraction, and command-and-control (C2) communications.
This discovery underscores a growing trend where well-known malware families are being integrated into increasingly intricate delivery mechanisms to broaden their reach and effectiveness. The initial entry point for these attacks often masquerades as a legitimate software activation tool, deceiving unsuspecting users into executing malicious code.
How Vidar Steals Sensitive Data
The infection typically commences with a commonly abused hack tool, such as “MicrosoftToolkit.exe.” Users are tricked into running this utility under the false pretense of activating legitimate software. This social engineering tactic reduces reliance on traditional phishing or software exploits, making the initial compromise more challenging for conventional security defenses to detect.
Upon execution, a disguised file named “Swingers.dot” is renamed to a batch script and then run, initiating a series of commands. The system first checks for active security processes, then extracts additional payload components, ultimately launching an AutoIt-compiled loader called “Replies.scr.” Subsequent outbound connections to Vidar-associated infrastructure confirm the successful deployment of the final payload, which then actively harvests data. Vidar specifically targets browser-stored credentials, saved session cookies, cryptocurrency wallet files, and general system information, enabling attackers to acquire substantial valuable data from even a single compromised machine.
The malware leverages public platforms such as Steam and Telegram for its command-and-control infrastructure, camouflaging its traffic as routine web activity. It constructs HTTP GET requests to retrieve configuration data from these platforms before proceeding with data exfiltration. DNS lookups were also observed resolving to gz.technicalprorj.xyz via public DNS servers, indicating the attackers’ use of dynamic infrastructure to evade blocklists.
Defense Evasion and Post-Attack Cleanup
A distinctive characteristic of this campaign is the thoroughness with which the malware eradicates its traces post-execution. After payload extraction and data exfiltration, “MicrosoftToolkit.exe” deletes all files it dropped during the infection process, resets file attributes, releases associated memory, and terminates its own process. This comprehensive cleanup significantly impedes forensic investigations and traditional incident response efforts.
Furthermore, the malware incorporates anti-analysis capabilities, checking for debuggers and security monitoring tools using low-level Windows functions. If an analysis environment is detected, Vidar can modify its behavior to avoid observation. This anti-analysis feature, combined with the extensive cleanup routine and the use of legitimate Windows tools throughout the attack chain, lends this campaign a moderate-to-high degree of sophistication, despite its reliance on a commodity stealer.
What You Should Do
- Isolate Compromised Systems: Immediately disconnect any affected systems from the network to prevent further data loss and lateral movement.
- Reimage Systems: Perform a full system reimage on compromised machines, as the malware can download additional payloads.
- Reset Credentials: Reset all exposed credentials, including browser passwords, email accounts, VPN logins, and administrator accounts. Close all active sessions.
- Implement Multi-Factor Authentication (MFA): Enforce MFA across all critical services and accounts to add an extra layer of security.
- Monitor Network Traffic: Continuously monitor outbound network traffic and DNS queries for any unusual or suspicious connections.
- Restrict Unauthorized Tools: Implement policies to restrict the execution of unauthorized software and tools on endpoints.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | fc27479ff929d846e7c5c5d147479c81e483a2ec911bd1501a53aa646a29620d | MicrosoftToolkit.exe |
| SHA256 | d4fe9f48178cdf375a3be30d17f1dc016b5861dff8683f0bb35a0ba8d44f892f | swingers.dot.bat |
| SHA256 | 978ad86c90d85b74947bb627ec24f8bcd26812b500e82f5af202160506ac29c6 | Beds.dot |
| SHA256 | 881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb | replies.scr |
| SHA256 | 968ecf51c442ec0ff91f91689ac524e7e8e9eab0c1a2a65cf13e54cf95194efe | D (payload file) |
| IP Address | 149.154.167.99 | Vidar-associated C2 IP |
| Domain | telegram[.]me | C2 domain |
| Domain | gz[.]technicalprorj[.]xyz | Vidar-associated C2 domain |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.