⚠️ Overview

Vidar is an information-stealing malware first observed in December 2018 by Malwarebytes, operating as a commodity stealer-as-a-service on Russian-language cybercrime forums. It is categorized as an information stealer (infostealer) designed to harvest credentials, cryptocurrency wallets, browser data, and system information from infected Windows systems. Researchers attribute its development to a threat actor known as “Vidar Stealer” or associated with the “Raccoon Stealer” ecosystem, though no official state sponsorship has been confirmed.

🔧 Technical Capabilities

Vidar propagates primarily through malvertising campaigns, phishing emails, and exploit kits (e.g., Fallout, GrandSoft) targeting victims visiting compromised websites. Its attack vector typically involves a loader (often delivered as a .NET binary) that retrieves the main payload from a remote C2 server. The malware uses HTTP/HTTPS for command-and-control communication, with JSON-encrypted data exfiltrated to attacker-controlled servers (MITRE ATT&CK T1041). Persistence is achieved via registry Run keys or scheduled tasks (T1547, T1053). Evasion techniques include code obfuscation, anti-sandbox checks (e.g., checking for debugger presence, disk size, and CPU cores), and string encryption. Vidar targets over 70 applications, including Chrome, Firefox, Edge, Telegram, Discord, FileZilla, and cryptocurrency wallets like Electrum and Exodus, stealing stored passwords, cookies, autofill data, and screenshotting the desktop (T1113). It also collects system information (hostname, IP address, installed software) and uploads stolen data as ZIP archives to its C2.

📜 History & Notable Incidents

Vidar first appeared in December 2018 and gained traction in 2019 via malvertising campaigns on sites like Pastebin and YouTube. In 2020, it was distributed through fake crack sites and alongside the Buer Loader malware (also known as Buer). A notable campaign in March 2020 used COVID-19 themed lures to spread Vidar via malicious Word documents (CVE-2017-11882 exploited for Office exploits). No CVEs are directly assigned to Vidar itself. In November 2022, the Zscaler ThreatLabz report documented a rise in Vidar infections targeting the education and healthcare sectors. No major law enforcement takedowns have been publicly reported for Vidar as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: f5c3a8c1e7b2d4f6a9b0c8d2e4f6a8b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5 (sample from VirusTotal). Behavioral signatures: creation of a random-named folder in %TEMP% containing stolen data before ZIP exfiltration, and connections to IPs associated with bulletproof hosting providers. Network IOCs: HTTP POST requests to URLs like hxxp://45.155.205.233/gate.php (historical C2). Registry keys: HKCUSoftwareMicrosoftWindowsCurrentVersionRunVidar for persistence. Mutex names include GlobalVidarStealer. User-Agent strings often mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 but with custom parameters.

☠️ Risk & Impact

Vidar poses high risk due to comprehensive data theft—exfiltrating browser passwords, cryptocurrency private keys, and FTP credentials—enabling account takeover, financial theft, and lateral movement. Sectors most affected include finance, technology, and healthcare, as reported by Proofpoint and Talos intelligence. Financial losses per incident can exceed $10,000 from stolen crypto wallets and compromised business accounts, with additional costs from incident response and reputational damage.

🛡️ Mitigation

Defensive measures include deploying endpoint detection and response (EDR) solutions with behavioral analytics (e.g., detection of mass file access and network exfiltration), blocking known C2 domains via network firewalls, enforcing application whitelisting, and educating users against phishing and malvertising. Regularly updated signature rules from vendors like Trend Micro (ID: TROJ_VidAR.A) and YARA rules targeting Vidar’s .NET payloads are recommended. Patch management against critical exploits used in delivery (e.g., CVE-2017-11882, CVE-2018-7600) reduces initial infection vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.