Deep Dive: Analyzing the Multi-Stage Vidar Infostealer Campaign via AutoIt Abuse

Security researchers have identified a sophisticated, multi-stage malware campaign currently deploying the Vidar Infostealer. Since its emergence in late 2018—built upon the foundations of the notorious Arkei stealer source code—Vidar has established a reputation for surgical precision in harvesting high-value assets, including browser session cookies, cryptocurrency wallets, system metadata, and user credentials.

A recent technical breakdown by researcher Mahadev Joshi reveals a highly evasive execution chain. The attackers are leveraging AutoIt—a legitimate Windows automation scripting language—and repurposing trusted web platforms to mask Command-and-Control (C2) communications, effectively blending malicious activity into the background noise of standard network traffic.

Vidar infection chain (Source: LeveBlue)
Figure 1: Visualizing the Vidar infection chain (Source: LeveBlue)

Phase 1: Initial Access via Social Engineering

The campaign bypasses traditional vulnerability exploitation in favor of a more reliable method: human error. The infection vector begins when a user executes MicrosoftToolkit.exe, a widely distributed but illegitimate software activation utility. By masquerading as a helpful tool, the malware gains an initial foothold through user consent. Upon execution, the binary spawns a command shell to initiate the orchestration of the subsequent staging phases.

To evade basic static analysis and file-type restrictions, the malware employs a clever masquerading technique. It takes a data file disguised with a .dot extension (swingers.dot) and renames it to a batch script. This allows the malicious instructions to execute within the user space without triggering immediate suspicion from legacy security controls.

Phase 2: Environment Reconnaissance and Payload Extraction

Before deploying the final payload, the malware performs a “quiet” reconnaissance of the local host. According to analysis by LevelBlue, the malware invokes native Windows binaries such as tasklist.exe and findstr.exe. This allows the threat actor to enumerate active processes and identify potential security software that might interfere with the infection.

Attack tree observed in LevelBlue’s EDR (Source: LevelBlue)
Figure 2: Attack tree observed within LevelBlue’s EDR environment

Once the environment is deemed “safe,” the malware utilizes extract32.exe to unpack secondary components hidden within multiple .dot files. This stage culminates in the deployment of Replies.scr, an AutoIt-compiled binary that serves as the core loader.

Snippet of files created by Microsofttool.exe. (Source: LevelBlue)
Figure 3: Artifacts generated by the Microsofttool.exe wrapper

Phase 3: Evasive Execution and Runtime Defense

The choice of AutoIt is strategic; because it is a legitimate automation tool, its execution often bypasses standard signature-based antivirus engines. The Replies.scr loader functions by reading an encrypted external payload into memory, performing decryption on-the-fly to avoid writing the “naked” malware to the disk.

The payload is equipped with advanced anti-analysis capabilities. It utilizes the ZwQueryInformationProcess syscall to detect if a debugger is attached to the process. If it identifies a researcher’s environment or detects EDR instrumentation callbacks, it will alter its behavior or terminate to prevent reverse engineering.

Binary file D loaded by Replies.scr. (Source: Levelblue)
Figure 4: The decryption and loading of the primary payload (File D)

Phase 4: Stealthy C2 and Data Exfiltration

Upon successful memory injection, the Vidar stealer establishes communication via WinINet APIs. To avoid detection by network security monitoring (NSM) tools, the malware utilizes Dead-Drop Resolvers. Instead of connecting directly to a known malicious IP, it makes legitimate HTTP GET requests to Telegram and Steam Community profiles to retrieve its configuration and C2 instructions.

Snippet from x64dbg runtime (Source: LevelBlue)
Figure 5: Observed behavior during x64dbg runtime analysis

By blending with legitimate web traffic and resolving domains via public Google DNS, the malware’s beaconing activity becomes indistinguishable from standard user browsing, making high-fidelity network detection a significant challenge.

Phase 5: Forensic Cleanup and Anti-Forensics

The final stage of the campaign is a systematic cleanup. After exfiltration is complete, the original MicrosoftToolkit.exe process executes a routine to wipe its digital footprint. This includes resetting file attributes of dropped payloads, deleting all .dot files, and freeing memory structures. The process concludes with a call to RtlExitUserProcess, effectively terminating the thread and leaving minimal forensic artifacts for incident responders to reconstruct.


Indicators of Compromise (IOCs)

IOC Type Description
fc27479ff929d846e7c5c5d147479c81e483a2ec911bd1501a53aa646a29620d SHA-256 Initial Wrapper: MicrosoftToolkit.exe
d4fe9f48178cdf375a3be30d17f1dc016b5861dff8683f0bb35a0ba8d44f892f SHA-256 Renamed Batch Script: swingers.dot.bat
978ad86c90d85b74947bb627ec24f8bcd26812b500e82f5af202160506ac29c6 SHA-256 Payload Component: Beds.dot
881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb SHA-256 AutoIt Loader: replies.scr
968ecf51c442ec0ff91f91689ac524e7e8e9eab0c1a2a65cf13e54cf95194efe SHA-256 Decrypted Payload: D
149.154.167[.]99 IP Address Vidar C2 Infrastructure
telegram[.]me Domain Dead-Drop Resolver Service
gz[.]technicalprorj[.]xyz Domain Vidar C2 Domain

MITRE ATT&CK Mapping

Tactic Technique Technical Summary
TA0001 – Initial Access T1204.002 Malicious file execution via user-initiated download
TA0002 – Execution T1059.003 Command shell usage for staged execution
TA0002 – Execution T1027 Obfuscation via compressed/embedded formats
TA0005 – Defense Evasion T1036 Masquerading via file extension manipulation
TA0005 – Defense Evasion T1562.001 Termination of security-related processes
TA0011 – Command & Control T1071.001 C2 communication over standard web protocols
TA0010 – Exfiltration T1041 Data exfiltration via established C2 channel

Security Advisory: IP addresses and domains have been defanged for safety. Analysts should re-fang these indicators only within isolated environments such as a SIEM or Threat Intelligence Platform (TIP).

Related Articles

Back to top button