Deep Dive: Analyzing the Multi-Stage Vidar Infostealer Campaign via AutoIt Abuse
Security researchers have identified a sophisticated, multi-stage malware campaign currently deploying the Vidar Infostealer. Since its emergence in late 2018—built upon the foundations of the notorious Arkei stealer source code—Vidar has established a reputation for surgical precision in harvesting high-value assets, including browser session cookies, cryptocurrency wallets, system metadata, and user credentials.
A recent technical breakdown by researcher Mahadev Joshi reveals a highly evasive execution chain. The attackers are leveraging AutoIt—a legitimate Windows automation scripting language—and repurposing trusted web platforms to mask Command-and-Control (C2) communications, effectively blending malicious activity into the background noise of standard network traffic.

Phase 1: Initial Access via Social Engineering
The campaign bypasses traditional vulnerability exploitation in favor of a more reliable method: human error. The infection vector begins when a user executes MicrosoftToolkit.exe, a widely distributed but illegitimate software activation utility. By masquerading as a helpful tool, the malware gains an initial foothold through user consent. Upon execution, the binary spawns a command shell to initiate the orchestration of the subsequent staging phases.
To evade basic static analysis and file-type restrictions, the malware employs a clever masquerading technique. It takes a data file disguised with a .dot extension (swingers.dot) and renames it to a batch script. This allows the malicious instructions to execute within the user space without triggering immediate suspicion from legacy security controls.
Phase 2: Environment Reconnaissance and Payload Extraction
Before deploying the final payload, the malware performs a “quiet” reconnaissance of the local host. According to analysis by LevelBlue, the malware invokes native Windows binaries such as tasklist.exe and findstr.exe. This allows the threat actor to enumerate active processes and identify potential security software that might interfere with the infection.

Once the environment is deemed “safe,” the malware utilizes extract32.exe to unpack secondary components hidden within multiple .dot files. This stage culminates in the deployment of Replies.scr, an AutoIt-compiled binary that serves as the core loader.

Phase 3: Evasive Execution and Runtime Defense
The choice of AutoIt is strategic; because it is a legitimate automation tool, its execution often bypasses standard signature-based antivirus engines. The Replies.scr loader functions by reading an encrypted external payload into memory, performing decryption on-the-fly to avoid writing the “naked” malware to the disk.
The payload is equipped with advanced anti-analysis capabilities. It utilizes the ZwQueryInformationProcess syscall to detect if a debugger is attached to the process. If it identifies a researcher’s environment or detects EDR instrumentation callbacks, it will alter its behavior or terminate to prevent reverse engineering.

Phase 4: Stealthy C2 and Data Exfiltration
Upon successful memory injection, the Vidar stealer establishes communication via WinINet APIs. To avoid detection by network security monitoring (NSM) tools, the malware utilizes Dead-Drop Resolvers. Instead of connecting directly to a known malicious IP, it makes legitimate HTTP GET requests to Telegram and Steam Community profiles to retrieve its configuration and C2 instructions.

By blending with legitimate web traffic and resolving domains via public Google DNS, the malware’s beaconing activity becomes indistinguishable from standard user browsing, making high-fidelity network detection a significant challenge.
Phase 5: Forensic Cleanup and Anti-Forensics
The final stage of the campaign is a systematic cleanup. After exfiltration is complete, the original MicrosoftToolkit.exe process executes a routine to wipe its digital footprint. This includes resetting file attributes of dropped payloads, deleting all .dot files, and freeing memory structures. The process concludes with a call to RtlExitUserProcess, effectively terminating the thread and leaving minimal forensic artifacts for incident responders to reconstruct.
Indicators of Compromise (IOCs)
| IOC | Type | Description |
|---|---|---|
| fc27479ff929d846e7c5c5d147479c81e483a2ec911bd1501a53aa646a29620d | SHA-256 | Initial Wrapper: MicrosoftToolkit.exe |
| d4fe9f48178cdf375a3be30d17f1dc016b5861dff8683f0bb35a0ba8d44f892f | SHA-256 | Renamed Batch Script: swingers.dot.bat |
| 978ad86c90d85b74947bb627ec24f8bcd26812b500e82f5af202160506ac29c6 | SHA-256 | Payload Component: Beds.dot |
| 881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb | SHA-256 | AutoIt Loader: replies.scr |
| 968ecf51c442ec0ff91f91689ac524e7e8e9eab0c1a2a65cf13e54cf95194efe | SHA-256 | Decrypted Payload: D |
| 149.154.167[.]99 | IP Address | Vidar C2 Infrastructure |
| telegram[.]me | Domain | Dead-Drop Resolver Service |
| gz[.]technicalprorj[.]xyz | Domain | Vidar C2 Domain |
MITRE ATT&CK Mapping
| Tactic | Technique | Technical Summary |
|---|---|---|
| TA0001 – Initial Access | T1204.002 | Malicious file execution via user-initiated download |
| TA0002 – Execution | T1059.003 | Command shell usage for staged execution |
| TA0002 – Execution | T1027 | Obfuscation via compressed/embedded formats |
| TA0005 – Defense Evasion | T1036 | Masquerading via file extension manipulation |
| TA0005 – Defense Evasion | T1562.001 | Termination of security-related processes |
| TA0011 – Command & Control | T1071.001 | C2 communication over standard web protocols |
| TA0010 – Exfiltration | T1041 | Data exfiltration via established C2 channel |
Security Advisory: IP addresses and domains have been defanged for safety. Analysts should re-fang these indicators only within isolated environments such as a SIEM or Threat Intelligence Platform (TIP).