Threat Research

Tracking Vidar Infrastructure with Censys

Securonix

Vidar, evolved from the Arkei Stealer, is a sophisticated credential stealer capable of extracting data from 2FA software and the Tor Browser. Censys tracked Vidar’s TLS-based C2 infrastructure, identifying 22 unique IPs and tying the activity to Scattered Spider’s targeting of large organizations and IT help desks. #Vidar #Arkei #ScatteredSpider #MGM #Caesars

Keypoints

  • Vidar is described as a more advanced stealers’ variant derived from Arkei, capable of exfiltrating credentials and tokens from infection endpoints.
  • The C2 uses HTTP over TLS with hardcoded subject/issuer DN fields, enabling detection via TLS certificate data and identification of Vidar infrastructure.
  • Initial C2 discovery relies on Telegram (and as a fallback, a Steam account) to fetch the C2 URL, illustrating multi-channel command delivery.
  • Vidar exfiltrates data to attacker-controlled servers via HTTPS POST (multipart form data), after collecting desktop screenshots and browser data (cookies, passwords, etc.).
  • DLLs are downloaded from the C2 (e.g., sqlite3.dll, freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, vcruntime140.dll) as part of payload delivery.
  • Vidar is associated with Scattered Spider, known for targeting large organizations and IT help desks, including high-profile victims; FBI/CISA issued mitigations for critical infrastructure defenders.
  • Censys observed 22 unique Vidar-related IPs, concentrated primarily with Hetzner (Germany/Finland) and MVPS (Finland).

MITRE Techniques

  • [T1071.001] Web Protocols – Vidar uses TLS to contact C2; ‘This C2 uses TLS, and the host’s certificate shows hardcoded subject and issuer-distinguished names (DNs).’
  • [T1041] Exfiltration Over C2 Channel – Vidar exfiltrates data from the host to the attacker-owned server via HTTPS POST; ‘Vidar will start the process of exfiltrating data from the host to the attacker-owned server.’
  • [T1113] Screen Capture – Vidar takes a screenshot of the user’s desktop; ‘Vidar then takes a screenshot of the user’s desktop’
  • [T1082] System Information Discovery – Vidar collects information about the user’s system (cookies, passwords, etc.); ‘collects information about the user’s system (browser cookies, passwords, etc…)’
  • [T1555.003] Credentials from Web Browsers – Vidar retrieves browser-stored credentials (cookies and passwords); ‘browser cookies, passwords, etc…’
  • [T1105] Ingress Tool Transfer – Vidar downloads multiple legitimate DLLs from the C2; ‘the C2 downloads several legitimate DLLs: /sqlite3.dll, /freebl3.dll, /mozglue.dll, /msvcp140.dll, /nss3.dll, /softokn3.dll, /vcruntime140.dll’

Indicators of Compromise

  • [IP] Vidar C2 hosts – 49.12.119.148, 95.217.244.44, and 20 more IP addresses (e.g., 49.13.94.153, 5.75.246.163, etc.)
  • [Hostname/Domain] C2 hostnames – join.naxtm.cfd, www.avisclair.com, and 0 more
  • [TLS Certificate] Subject DN – C=XX, ST=NY, L=NY, O=StaticIP, OU=privateIP
  • [Filename] DLLs downloaded – sqlite3.dll, freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, vcruntime140.dll

Read more: https://censys.com/tracking-vidar-infrastructure/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint