Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/New Vidar Stealer Campaign Evades EDR, Steals Credentials
Threats

New Vidar Stealer Campaign Evades EDR, Steals Credentials

Key Takeaways A new, sophisticated campaign is distributing Vidar Stealer, actively targeting Windows users. The malware employs advanced evasion techniques, including multi-stage delivery and...

Sarah simpson
Sarah simpson
May 12, 2026 5 Min Read
49 0

Key Takeaways

  • A new, sophisticated campaign is distributing Vidar Stealer, actively targeting Windows users.
  • The malware employs advanced evasion techniques, including multi-stage delivery and environment variable obfuscation, to bypass Endpoint Detection and Response (EDR) solutions.
  • Initial compromise occurs via spear-phishing emails containing malicious shortcut files, leading to the theft of browser credentials, session cookies, and cryptocurrency wallet data.
  • The campaign utilizes Living-off-the-Land (LotL) tactics and creates deceptive scheduled tasks for persistence.

Stealthy Vidar Stealer Campaign Evades EDR, Targets Windows Users for Credential Theft

A highly sophisticated and stealthy campaign is currently deploying Vidar Stealer against Windows users, leveraging an intricate attack chain specifically designed to circumvent Endpoint Detection and Response (EDR) systems and extract sensitive user credentials. This operation is notable for its quiet execution, often completing its malicious objectives before victims are aware of any compromise.

Table Of Content

  • Key Takeaways
  • Stealthy Vidar Stealer Campaign Evades EDR, Targets Windows Users for Credential Theft
  • Initial Access and Evasion Tactics
  • Credential Theft and Broader Impact
  • What You Should Do
  • Indicators of Compromise (IoCs)

Vidar Stealer, an information-stealing malware first identified in 2018 as a variant of the Arkei stealer, has continuously evolved. It possesses robust capabilities for extracting browser passwords, session cookies, cryptocurrency wallet information, authentication tokens, and autofill data stored locally on infected systems. The latest iteration of this malware enhances these capabilities with advanced evasion mechanisms, allowing it to consistently bypass modern EDR tools.

Security researchers at Genians Security Center were instrumental in identifying and analyzing this campaign. Their findings highlight the use of multi-stage delivery techniques, heavily obfuscated script execution, and the abuse of legitimate system utilities to avoid triggering security alerts. This blend-in approach makes the campaign particularly dangerous for organizations that primarily rely on traditional signature-based detection methods.

Initial Access and Evasion Tactics

The attack typically begins with highly targeted spear-phishing emails, meticulously crafted to align with the recipient’s professional context or personal interests. These emails contain ZIP archives that, when opened, reveal Windows shortcut files disguised as ordinary work documents. Executing these shortcut files silently triggers an obfuscated command in the background, without any visible indication to the user.

The malware proceeds through a series of secondary payload downloads, ultimately deploying its core information-stealing component. Each stage of this process employs environment variable-based obfuscation, where commands are reconstructed only at runtime. This technique often defeats static analysis tools, preventing early detection and response.

A critical aspect of this campaign’s evasion strategy involves preventing behavior-based detection. Threat actors utilize environment variable-based substring expansion to fragment and reassemble commands character by character. This ensures that the complete malicious command string never appears in plaintext during execution, forcing security tools to analyze individual fragments rather than recognizing the full intent of the instruction. Additionally, the attackers leverage curl.exe, a native Windows binary, to download further payloads from remote servers. This “Living-off-the-Land” (LotL) tactic makes detection challenging, as legitimate system tools are being used. A Python Embed package is also retrieved from a trusted external source, establishing a silent execution environment and minimizing suspicion associated with outbound network activity.

For persistence, a scheduled task is created, deliberately named to mimic a legitimate Microsoft system process (e.g., “MicrosoftMusicLibrariesPackageTaskMachine”). This ensures the malware runs at one-minute intervals and survives system reboots. The final payload, a compiled Python bytecode file disguised with a .cat extension, functions as a remote access backdoor, capable of executing commands, collecting files, and exfiltrating system data to attacker-controlled infrastructure.

Credential Theft and Broader Impact

Vidar’s primary objective in this campaign is to exfiltrate user credentials and other sensitive data from Chromium-based browsers and similar applications. It specifically targets locally stored passwords, session cookies, and encrypted key files used by browsers to protect login information. The malware employs the Windows CryptUnprotectData API to decrypt these keys directly from the browser’s Local State file, thereby gaining full access to saved credentials.

Investigations revealed multiple command-and-control (C2) domains spread across various countries and hosting providers, complicating infrastructure-based blocking efforts for defenders. The widespread deployment of these credential theft tools underscores the broad impact across numerous sectors.

What You Should Do

  • Enhance EDR capabilities with robust behavior-based detection to identify obfuscated script execution and multi-stage download activities.
  • Implement policies to block the execution of shortcut files (LNK files) from within compressed archives, especially those received via email.
  • Regularly audit scheduled tasks on endpoints for any suspicious entries that mimic legitimate system processes.
  • Advise users against saving credentials directly within web browsers; instead, encourage the use of reputable password managers.
  • Conduct ongoing security awareness training to educate employees about the dangers of spear-phishing and malicious attachments.

Indicators of Compromise (IoCs)

Type Indicator Description
Domain kmot.co[.]kr Korea-based C2 server hosting malicious payloads
Domain haeundaejugong[.]com C2 server used to collect and exfiltrate user data
Domain kumdo[.]org Secondary C2 server for data exfiltration
Domain nls5950.cafe24[.]com C2 infrastructure used in related malicious activity
Domain hanainternational[.]net C2 domain linked to threat actor infrastructure
Domain mlgpf.ir114[.]net C2 domain associated with campaign
Domain luminix[.]kr C2 domain identified in related malicious files
Domain sunlin[.]org C2 domain observed in threat actor infrastructure
Domain ezvm[.]kr C2 domain linked to malicious distribution
Domain intobiz[.]kr C2 domain used in campaign infrastructure
Domain choisy[.]fr France-based C2 server observed in attack chain
Domain printory[.]kr Domain used to host compiled Python bytecode malware
Domain udcontest[.]com Domain hosting webshell used in phishing attack
Domain ableinfo.co[.]kr Distribution infrastructure for malicious files
IP Address 114.207.246[.]156 IP address shared across multiple attack domains
File Name settingenv.cat Compiled Python bytecode payload disguised as Windows catalog file
File Name codeflush.exe Renamed pythonw.exe used as stealthy malware execution host
File Name GX)/M27s.bat Obfuscated batch file used for secondary payload execution
File Name ms3360.bat Batch file variant used in obfuscated execution chain
File Name yS1825.bat Batch file variant identified in attack chain
File Name K3772.bat Batch file variant used in environment variable obfuscation
File Name HqcUpdate.exe Final information-stealing payload (Chinotto)
File Name WStep163.cab Obfuscated Python script downloaded from C2 server
File Name MicroAppsTemp28h2.bat Batch file downloaded from C2 for follow-up activity
Scheduled Task MicrosoftMusicLibrariesPackageTaskMachine Persistence mechanism disguised as legitimate Microsoft task

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Vercel AI Tools Abused to Create Realistic Phishing Sites

Next Post

Critical Zoom Rooms, Workspaces Flaws Let Attackers Escalate Privileges

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us