Vidar Infostealer Being Spread through Phishing Emails

Vidar Infostealer Being Spread through Phishing Emails

Keypoints

  • Vidar is a Malware-as-a-Service threat that has been active since 2018 and was observed in new distribution campaigns during the first half of 2026.
  • The campaigns targeted Korea and were analyzed by AhnLab SEcurity intelligence Center (ASEC).
  • Phishing emails used job application and copyright infringement themes, with resume-like attachments and body text to trick victims.
  • The malware payload was packed as a Go-based executable disguised as a Word document icon and decrypted in memory when run.
  • Vidar used anti-analysis features including obfuscated code, NtGlobalFlag checks, anti-VM checks, and anti-sandbox checks.
  • It used Dead Drop Resolver via Telegram and Steam profile pages to fetch the real C&C server address, with a hard-coded marker string.
  • Vidar exfiltrated browser data, cookies, history, credentials, Discord/Telegram/Steam tokens, Azure data, screenshots, and cryptocurrency-related files.

MITRE Techniques

  • [T1027] Obfuscated Files or Information – The samples used obfuscated code and data to hinder analysis (‘obfuscated code and data designed to hinder analysis’).
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – Vidar checked CPU, RAM, disk usage, usernames, and computer names to detect sandboxes or virtual environments (‘anti-VM techniques that monitor CPU, RAM, and disk usage’).
  • [T1622] Debugger Evasion – The malware used NtGlobalFlag checks to avoid debugging analysis (‘anti-debugging techniques such as NtGlobalFlag checks’).
  • [T1102.001] Web Service: Dead Drop Resolver – Vidar retrieved its C&C address from Telegram and Steam profile pages (‘Vidar then accesses those profile pages to retrieve the actual C&C server address’).
  • [T1105] Ingress Tool Transfer – The malware downloaded additional payloads or commands from the C&C server (‘Loader Download and execute additional payloads or commands’).
  • [T1056.001] Input Capture: Keylogging – No keylogging is explicitly described in the article, so this technique is not mentioned.
  • [T1119] Automated Collection – Vidar automatically collected browser data, wallet files, screenshots, and other targeted files (‘the malware collects information based on this’).
  • [T1005] Data from Local System – It stole files from local paths such as browser databases, wallet paths, and application data (‘List of File Paths Targeted for Theft’).
  • [T1025] Data from Removable Media – Not mentioned in the article.
  • [T1041] Exfiltration Over C2 Channel – Stolen data was transmitted back to the C&C server (‘Transmission of the “information.Txt” file’).
  • [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Vidar targeted saved logins and related browser credential stores (‘Chromium-based saved logins’).
  • [T1539] Steal Web Session Cookie – The malware collected browser cookies (‘Cookies Information Theft of web browser cookie information’).
  • [T1003] OS Credential Dumping – The article describes credential theft from FTP clients and browser stores (‘passwords.Txt’, which contains credentials for FileZilla and WinSCP FTP clients).
  • [T1113] Screen Capture – Vidar exfiltrated screenshots (‘screenshot.Jpg, a screenshot file’).

Indicators of Compromise

  • [MD5 Hash] malware samples – 0b8af4afd26175ba818c0fdb4622bf14, 1bbf1e83eea55e70d59f0d633789011e, and 3 more hashes
  • [IP Address] C&C / infrastructure – 107.189.24.190
  • [URL] C&C-related / profile pages – http://107.189.24.190/, https://steamcommunity.com/profiles/76561198694626397, and 3 more URLs
  • [FQDN] related domains seen in the campaign – ctl.it-bd.com, frr.ambil-disini.web.id, and 3 more domains
  • [File Names] phishing attachments / stolen files – Job_Application_I_Will_Work_Diligently_June_4,_26.Exe, 260511 Summary of Copyright Provisions and Infringement Details (Images, Icons, UI, etc).Exe, information.Txt, passwords.Txt, screenshot.Jpg
  • [Telegram / Steam Profile Pages] DDR source locations for C&C – Telegram and Steam profile pages used to hide the server address


Read more: https://asec.ahnlab.com/en/94363/