The Evolution of Vidar: From Simple Stealer to Sophisticated Multi-Stage Payload Obfuscation

The threat landscape surrounding Vidar has undergone a radical transformation. What began in 2018 as a relatively straightforward Arkei-based credential stealer has matured into a highly sophisticated, multi-stage Malware-as-a-Service (MaaS) ecosystem. Today, Vidar is defined by its extreme focus on stealth, utilizing unconventional delivery mechanisms such as hiding secondary payloads within benign-looking JPEG and TXT files to slip past modern endpoint detection and response (EDR) systems.

Recent intelligence from Malwarebytes, Acronis TRU, Zscaler, and Point Wild underscores a critical shift: the family has moved away from monolithic execution toward a layered, modular attack framework. This framework blends aggressive social engineering with “Living-off-the-Land” (LotL) techniques and entirely fileless execution.

The modern infection chain typically begins with a Go-compiled dropper—a choice that provides attackers with high performance and easier cross-platform portability compared to traditional C++ or .NET-based malware.

Detailed Attack Flow Analysis showing the progression from dropper to memory execution.
Attack Flow Analysis (Source: PointWild).

The Shift to User-Driven Infection Vectors

One of the most significant tactical changes observed is the move away from technical exploits. Instead of searching for unpatched software vulnerabilities, Vidar operators are increasingly relying on psychological exploits—tricking users into executing malicious code through trusted ecosystems. By 2026, the primary vectors have converged on a few specific high-traffic areas:

  • Trojanized Developer Tools: Attackers are weaponizing GitHub by uploading fake “Claude Code” repositories or cracked developer utilities. These repositories appear legitimate to developers but serve as delivery vehicles for Vidar loaders.
  • “ClickFix” and Fake CAPTCHAs: On compromised websites, users are met with deceptive Cloudflare-style “Are you human?” prompts. These prompts instruct users to copy and paste specific commands (using mshta, PowerShell, or nslookup) into their terminals, effectively bootstrapping the infection.
  • Gaming Ecosystem Exploits: The distribution of “free cheats” via Discord and Reddit remains a highly effective method for delivering Vidar 2.0 to unsuspecting gamers.
  • CMS Hijacking: Vulnerable WordPress sites are frequently used to host malicious redirects, funneling unsuspecting visitors toward attacker-controlled infrastructure.

Technical Deep Dive: The JPEG and TXT Staging Model

Point Wild’s forensic analysis reveals a highly complex execution chain designed to bypass disk-based scanning. The initial sample is identified as a 64-bit PE binary compiled with Go 1.25.7. This distinguishes it from the majority of the malware landscape, which typically relies on the .NET framework or C++.

Technical File Information showing Go compiler specifics.
Technical File Metadata (Source: PointWild).

The execution flow follows a meticulously planned progression:

  1. The Dropper: The Go-compiled binary deploys a VBScript loader, which in turn invokes an embedded PowerShell script.
  2. Steganographic Payload Retrieval: PowerShell establishes an HTTP connection to a remote IP (62[.]60[.]226[.]200) to download a file disguised as an image: 160066.jpg.
  3. In-Memory Extraction: While the file presents as a JPEG, it actually contains a Base64-encoded payload hidden between custom markers (> / >). The script extracts, reverses, and decodes this payload entirely in system memory. This prevents the “heavy lifting” from being detected by traditional antivirus scanning the filesystem.
  4. The Second Stage: A subsequent request fetches a .txt file from the same server. This text file carries a large, obfuscated payload that completes the execution chain.

This WScript → PowerShell → ConHost → RegAsm transition demonstrates a sophisticated move from script-based loading into a fully realized .NET execution phase.

Directory path where the VBScript component is dropped.
VBScript Dropped File Location (Source: PointWild).

Fileless .NET Execution and LOLBin Abuse

To maintain its “low-noise” profile, Vidar employs Living-off-the-Land Binaries (LOLBins). Specifically, the malware abuses RegAsm.exe (a legitimate Microsoft .NET utility) to act as an execution proxy. By using System.Reflection.Assembly::Load, the malware can load the decoded .NET assembly into memory without ever writing a malicious .exe to the disk.

Analysis of Anti-Debugging and Crypter protection.
Anti-Debugging and Crypter implementation (Source: PointWild).

The core assembly is heavily protected by commercial-grade obfuscation (SmartAssembly), making static analysis an arduous task for researchers. The code utilizes randomized symbols, encrypted strings, and complex control-flow distortion. At its heart, the logic is designed for one purpose: to pull text-based payloads over HTTP, clean them, and inject them into legitimate processes.

Command and Control (C2) Infrastructure:
Network telemetry shows that RegAsm.exe initiates outbound HTTPS traffic to two primary destinations:

  • Telegram Infrastructure: (149.154.167.99) used for covert C2 and data exfiltration via Telegram bots.
  • Cloudflare-Fronted Proxies: (104.21.19.141) via the domain pre[.]sequareeus[.]online. Using a CDN like Cloudflare allows attackers to mask their backend IP and blend in with legitimate web traffic.

The Bottom Line: Data Exfiltration at Scale

Despite the advanced delivery, the ultimate objective remains consistent: the high-speed theft of digital assets. Modern Vidar campaigns aggressively target:

  • Browser profiles (Chrome, Edge) and saved credentials.
  • Password managers and 2FA extensions.
  • Web3 and cryptocurrency wallet extensions.

By combining social engineering, steganography, and fileless execution, Vidar has evolved into a threat that requires more than just signature-based defense; it necessitates robust behavioral monitoring and zero-trust principles.

Indicators of Compromise (IoCs)

MD5 Hash File Description
4d79f169a1567c7ae88e11ba55aa7ba1 Go Compiler Executable
d047d8244397ab3a7581f885c7840f45 VBScript Loader
9d87e76783d6012b1bb42798e85e376a testpowershell.dll
371de4bf1d1acdc2ba3bf1eaef0a8a99 Vidar Payload
Indicator Type Value
HTTP Payload (JPEG) hxxp://62[.]60[.]226[.]200/public_files/160066[.]jpg?12711313
HTTP Payload (TXT) hxxp://62[.]60[.]226[.]200/public_files/KGVn4OY[.]txt
C2 Domain pre[.]sequareeus[.]online
Exfiltration Channel telegram[.]me/nwwfh8

Related Articles

Back to top button