Vidar Infostealer Uses JPEG/TXT Payload Hiding and Fake Software Lures
Researchers reported that updated Vidar infostealer campaigns are using steganography, fileless execution, and social-engineering lures to evade detection and steal corporate and consumer data. Point Wild and Intrinsec found infections delivered through fake GitHub repositories, compromised WordPress sites showing ClickFix-style fake CAPTCHA prompts, gaming cheat posts on Reddit and Discord, and bogus software promoted in YouTube videos and hosted on services such as Mediafire. In one chain, a fake tool named NeoHub dropped a malicious DLL disguised as a Microsoft Edge component and signed with counterfeit certificates impersonating GitHub and grow.com.
The malware uses VBScript, obfuscated PowerShell, a Go-based loader, and trusted Windows binaries including WScript, PowerShell, and RegAsm.exe to fetch apparently harmless JPEG and TXT files that contain hidden Base64-encoded second-stage payloads, then reconstructs and executes them entirely in memory through .NET reflective loading. Researchers said Vidar now operates as a Malware-as-a-Service offering, uses Telegram and Dead Drop Resolver techniques via public Steam profiles to locate command-and-control infrastructure, and exfiltrates credentials, cookies, payment data, cryptocurrency wallet files, and information from more than 200 browser extensions, often through Telegram and Cloudflare-fronted domains to mask attacker activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
LevelBlue links Vidar campaign to fake MicrosoftToolkit activation tool
LevelBlue researchers reported a multi-stage Vidar campaign using a fake software activation tool, MicrosoftToolkit.exe, to deliver the infostealer. The chain used renamed scripts, staged payload extraction, an AutoIt-compiled loader, anti-analysis checks, and post-execution cleanup, while Vidar stole browser credentials, cookies, cryptocurrency wallet files, and system data.
Point Wild details fileless Vidar execution using Windows tools
Point Wild's Lat61 Threat Intelligence Team analyzed the 2026 variant and found it used VBScript, obfuscated PowerShell, a Go-based loader, RegAsm.exe, and .NET reflective loading for in-memory execution. The approach minimized disk artifacts and helped the malware evade detection while stealing credentials, wallet data, and browser-extension secrets.
Vidar campaign spreads through fake GitHub repos, game cheats, and fake CAPTCHAs
Researchers reported a 2026 campaign distributing Vidar through fake GitHub repositories, gaming cheat lures shared on Discord and Reddit, and ClickFix-style fake CAPTCHA pages on compromised WordPress sites. These social-engineering vectors were used to trigger the malware's staged execution chain.
New Vidar variant hides second-stage payloads in JPEG and TXT files
In 2026, researchers identified a Vidar variant that concealed Base64-encoded second-stage payload data inside seemingly benign JPEG and TXT files. The files were retrieved during a multi-stage infection chain and used to reconstruct the payload while reducing obvious malicious artifacts.
Researchers document Vidar's Steam- and Telegram-based C2 discovery
Intrinsec documented an infection chain in which Vidar used a malicious DLL disguised as a Microsoft Edge component and signed with counterfeit certificates impersonating GitHub and grow.com. The malware used a Dead Drop Resolver via public Steam profiles and Telegram channels to locate command-and-control infrastructure dynamically.
Vidar campaign uses fake software downloads promoted on YouTube
In early 2026, a Vidar campaign targeted corporate employees with fake software downloads advertised in YouTube videos and hosted on file-sharing services such as Mediafire. One documented lure used a fake tool called NeoHub to deliver the malware.
Vidar 2.0 is released with stronger evasion features
In October 2025, Vidar 2.0 was released, adding improved capabilities and stronger evasion. Subsequent reporting says it became one of the top stealers sold on Russian Market.
Law enforcement disrupts Lumma and Rhadamanthys operations
Law enforcement actions in 2025 disrupted the Lumma and Rhadamanthys infostealer ecosystems. Reporting says Vidar's rise accelerated afterward as operators and buyers shifted toward alternative stealers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data
cybersecuritynews.com
Open sourceVidar infostealer evolves, uses image files for stealthy attacks | brief | SC Media
scworld.com
Open sourceVidar Rises to Top of Chaotic Infostealer Market
darkreading.com
Open sourceNew Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials
cybersecuritynews.com
Open sourceVidar Infostealer Spreads via Fake CAPTCHAs, Hides in JPEG and TXT Files
hackread.com
Open sourceVidar Malware Hides Second-Stage Payloads in JPEG and TXT Files to Evade Detection
cybersecuritynews.com
Open sourceInside Vidar (2026): From Infection to Memory Execution via JPEG and TXT Payloads | Point Wild
pointwild.com
Open sourceVidar Stealer 2.0 distributed via fake game cheats on GitHub and Reddit
acronis.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vidar Infostealer Spread Through Fake TikTok and Instagram Software Tutorials
Attackers are using TikTok and Instagram Reels to distribute **Vidar** infostealer through polished short videos that impersonate trusted brands and promise free access to premium software such as Spotify Premium and Microsoft Word. Reporting citing ReversingLabs says the clips use tutorial-style content, AI-generated voiceovers, and engagement bait to persuade users either to visit malicious download pages or to paste terminal and PowerShell commands that silently retrieve and run the malware. The campaign replaces traditional phishing emails with social media-driven social engineering and benefits from recommendation algorithms and weak moderation, with one tracked video reportedly surpassing 109,000 views. **Vidar**, a malware-as-a-service infostealer, can steal passwords, banking data, browser cookies, credentials, and session tokens, while researchers said attacker accounts were able to evade reporting, delete warning comments, and block users who raised concerns. Defenders were urged to treat social platforms as an active malware delivery channel, restrict software installation rights, and train users not to execute untrusted commands from online videos.
Jun 15, 2026
Fake Software Downloads Deliver STX RAT and Vjw0rm via Layered Dropper Chains
Security researchers reported two malware campaigns using fake or trojanized software downloads to install remote access trojans with credential theft and persistence features. eSentire identified a previously undocumented **STX RAT** after an attempted intrusion against a finance-sector organization, where a browser-downloaded VBScript launched a multi-stage loader chain using **XXTEA** and **Zlib** unpacking, anti-analysis checks, and several persistence methods. The malware supports **HVNC**, in-memory payload execution, tunneling, screenshots, security-tool inventory, and theft of browser credentials, cookies, Windows Vault data, FTP client secrets, and cryptocurrency wallets. Its command-and-control design uses **X25519 ECDH**, **Ed25519**, **HKDF-SHA256**, and **ChaCha20-Poly1305** over a custom TCP protocol, with infrastructure reachable over both the clear web and **Tor**. A separate investigation by Breakglass Intelligence found a fake software keygen packaged as a malicious WinRAR self-extracting archive that deployed the **Vjw0rm** JavaScript RAT through a four-layer dropper chain. The infection used nested SFX archives, a compiled AutoHotkey loader, parallel payload paths, and three persistence mechanisms, while abusing `upaste[.]me` as a dead-drop service and hiding the RAT as an XML file later renamed to JavaScript for execution. Researchers said the operator appeared to be a Turkish-speaking commodity cybercrime actor relying on reused tooling, deceptive file paths, and bundled legitimate Windows files to evade detection, underscoring how software cracks, keygens, and trojanized installers remain effective delivery vectors for RATs and infostealers.
Apr 25, 2026
Malicious AI and Software Repositories Spread Rust-Based Infostealers
Threat researchers uncovered multiple malware campaigns abusing trusted developer and AI distribution platforms to spread **Rust-based infostealers** through fake or typosquatted repositories. HiddenLayer found that a malicious Hugging Face project, `Open-OSS/privacy-filter`, impersonated OpenAI’s legitimate Privacy Filter repository, briefly became the platform’s top trending project, and was downloaded about **244,000** times before removal. The repository’s `loader.py` fetched a multi-stage payload ending in the `sefirah` infostealer, which harvested browser data, Discord tokens, cryptocurrency wallet data, SSH/FTP/VPN credentials, local files, system details, and screenshots, then exfiltrated the data to `recargapopular[.]com`. Researchers also linked the activity to overlaps with an npm typosquatting campaign associated with the **WinOS 4.0** implant. In a parallel campaign, Netskope reported that attackers impersonated the OpenClaw project with a fake installer site and a typosquatted GitHub organization to deliver a previously undocumented Rust dropper called **Hologram** and a modular implant framework. The malware targeted credentials from more than **250** cryptocurrency wallet, password manager, and 2FA browser extensions, while using anti-sandbox checks, in-memory .NET execution, reflective PE loading, persistence via `Userinit`, COM hijacking, and scheduled tasks, plus direct NT syscall thread injection. Operators staged and relayed infrastructure through legitimate services including **Azure DevOps, Telegram, Hookdeck, snippet.host, and Pastebin**; Netskope said the operation marked the first documented malware abuse of Hookdeck as a C2 relay and later evolved into a third wave, **Pathfinder**, that added confirmed Vidar infostealer delivery.
May 11, 2026