Vidar
Vidar is a Windows information-stealing malware family, widely referred to as Vidar Stealer, and described in the content as an Arkei-derived or Arkei fork/copycat stealer first seen in 2018. Its core capability is theft and exfiltration of sensitive data from compromised hosts, including credentials, browser-stored data, cookies, authentication/session tokens, credit card information, cryptocurrency wallets, clipboard contents, screenshots, cached credentials, installed application data, and general system information. Multiple sources in the content specifically note that Vidar can retrieve browser cookies, including from recent Chrome versions, and that it is used in mass credential-harvesting campaigns.
Observed behavior includes downloading legitimate DLL dependencies from its C2 infrastructure, using HTTP GET to retrieve files such as freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, and vcruntime140.dll, and exfiltrating stolen data in ZIP archives over HTTP POST. Additional reported behaviors include monitoring clipboard content, taking screenshots, reading cached credentials of various applications, possible persistence via registry run keys or startup folders, and use of HTTP/S web protocols for command-and-control and exfiltration. ASD reporting states that some Vidar campaigns obtain initial C2 details through dead-drop resolvers such as Telegram bots and Steam profiles, then beacon and exfiltrate via HTTP/S POST. The malware also uses defense-evasion techniques including obfuscation, self-deletion of the initial executable, and primarily in-memory execution in at least some delivery chains.
The content links Vidar to several infection and delivery vectors. Reported distribution methods include malvertising campaigns, phishing emails, drive-by downloads, ClickFix social-engineering lures, compromised WordPress sites, malicious Word documents using remote template injection via the Colibri loader, CHM-based phishing, fake browser or verification prompts, binders/loaders, Discord CDN abuse, and ClearFake campaigns. In the Australian ClickFix activity, compromised WordPress pages displayed a fake Cloudflare verification prompt, copied an obfuscated PowerShell command to the clipboard, and instructed the user to execute it with administrative privileges, after which Vidar was downloaded and launched.
Vidar is repeatedly associated with financially motivated cybercrime and credential-access ecosystems. The content ties it to mass infostealer campaigns affecting Snowflake-related compromises, FIFA-themed credential theft, and broader credential pipelines alongside Lumma, RedLine, RisePro, Raccoon Stealer, and MetaStealer. It is also mentioned in operations or infrastructure linked to Fox Tempest malware-signing abuse, Vanilla Tempest, Scattered Spider phishing activity, and ransomware-adjacent ecosystems involving families such as Rhysida, Akira, INC, Qilin, and BlackByte. High-confidence infrastructure and sample indicators directly mentioned in the content include SHA-256 b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180 for a September 2019 Vidar sample; C2 infrastructure 104.200.67[.]209:80 and dersed[.]com for that sample; and a VMRay-analyzed sample bPqn6zc9i6TeEqXz.exe with MD5 1ce37c9a9b307500590e7851f2b9a282, SHA1 d06b99394887747fa28f91fb19de214187467448, and SHA256 62338c7764f4e82105ea52fab868e1f04dc2f54bb44c5a47ddac685eacd6ed3c.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Microsoft linked Fox Tempest-enabled activity to ransomware and malware operations involving Vanilla Tempest, Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, Akira, and other families or affiliates.
Microsoft linked Fox Tempest-enabled activity to ransomware and malware operations involving Vanilla Tempest, Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, Akira, and other families or affiliates.
Apart from the above legitimate tools used for malicious purposes, Scattered Spider also conducts phishing attacks to install malware like the WarZone RAT, Raccoon Stealer, and Vidar Stealer, to steal from compromised systems login credentials, cookies, and other data useful in the attack.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
“...HijackLoader malware ... downloads the Vidar infostealer (v9d9d.exe).”
...relied on distributing infostealers such as RedLine, Lumma, or Vidar... to harvest credentials.
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueThe actors behind Vidar spread it by adding comments on YouTube that contain links to a ZIP or RAR archive hosted on a file-sharing platform which is changing every week.
Resource Development
7 techniquesVidar and Lumma malware are delivered through cracked software lures, malvertising networks, and Telegram cheat channels.
Acquire Infrastructure: Domains T1583.001 Adversary obtains domains to use for ClickFix attacks, payload delivery and C2 Infrastructure.
Compromise Infrastructure: Web Services T1584.006 Adversary leverages legitimate domain infrastructure to use as attack vector.
Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.
Obtain Capabilities: Malware T1588.001 Adversary obtains Vidar Stealer to steal sensitive information.
Obtain Capabilities: Exploits T1588.005 Adversary obtains exploits to compromise legitimate WordPress webpages.
Доставка. Фишинг, поддельный установщик, SEO-poisoning. Пользователь запускает малварь на своём устройстве.
Initial Access
3 techniquesВ ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
Malvertising campaigns, phishing emails, and drive-by downloads have been mostly leveraged to spread Vidar
Доставка. Фишинг, поддельный установщик, SEO-poisoning. Пользователь запускает малварь на своём устройстве.
Execution
4 techniquesCommand and Scripting Interpreter: PowerShell T1059.001 Adversary utilises PowerShell commands to download and deploy a malware executable from the internet.
As can be seen, the user is tricked into thinking that they have launched the Homebrew app and opening the AMOS stealer.
User Execution: Malicious Copy and Paste T1204.004 Adversary relies upon a user pasting the PowerShell command – which has been copied to their clipboard by a malicious script – into the command line as administrator.
Persistence
1 techniquePrivilege Escalation
2 techniquesVidar has been able to evade detection with its use of ... process injection
Stealth
7 techniquesObfuscated Files or Information T1027 PowerShell command which is copied to the user’s clipboard is heavily obfuscated. This makes detection of the malware delivery URL or analysis of the command difficult.
the service enabled cybercriminals to disguise malware as trusted software, improving the likelihood that malicious files would bypass security controls and be executed by victims.
Vidar has been able to evade detection with its use of ... process injection
Indicator Removal: File Deletion T1070.004 Upon execution the file will delete itself and exist in memory to evade detection and prevent analysis of the executable file.
В ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
Next, the malicious DLL reads the encrypted “bake.docx” file, gets the payload and the key from a specified offset, and decodes the payload.
Defense Impairment
1 techniqueMicrosoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.
Credential Access
6 techniquesthe stealers copy all browser-stored credentials, cookies, autofill data, session tokens, and cryptocurrency wallet seeds from every infected device.
These stealers copy every browser-stored credential, session token, and cryptocurrency wallet seed from infected devices.
the stealers copy all browser-stored credentials, cookies, autofill data, session tokens, and cryptocurrency wallet seeds from every infected device.
Инфостилер читает файлы и память браузера, где лежат сессионные куки - Credentials from Web Browsers (T1555.003, Credential Access).
Information stealers, which are used to collect credentials to then sell them on the dark web or use in subsequent cyberattacks, are actively distributed by cybercriminals.
Collection
2 techniquesVidar ... could facilitate the covert exfiltration of targeted systems' data, including credentials, credit card information, and authentication tokens
Command and Control
4 techniquesApplication Layer Protocol: Web Protocols T1071.001 Adversary uses POST requests to carry stolen information to the C2 server while blending in with normal HTTP/S traffic.
Vidar has been able to evade detection with its use of a Telegram and Steam profile-exploiting dead drop resolver technique
Researchers found that the malware-signing operation enabled customers to upload malicious files and receive code-signed versions using fraudulently acquired certificates.
Vidar has been able to evade detection with its use of ... Transport Layer Security Encryption
Exfiltration
1 techniqueVidar ... could facilitate the covert exfiltration of targeted systems' data
Other
1 techniqueIOCs tracked for this family
253 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware linked in the report to campaigns that used fraudulently signed binaries generated through the abused Microsoft signing platform.
Named as one of the known stealers that the binder is capable of packaging; no direct use in the described campaign is detailed beyond that reference.
An infostealer malware family referenced in relation to ClickFix attacks.
Information-stealing malware referenced as one of the malware operations enabled by Fox Tempest's fraudulent code-signing service, which helped malicious files appear legitimate and bypass security controls.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.