Keypoints
- Vidar is a Malware-as-a-Service threat that has been active since 2018 and was observed in new distribution campaigns during the first half of 2026.
- The campaigns targeted Korea and were analyzed by AhnLab SEcurity intelligence Center (ASEC).
- Phishing emails used job application and copyright infringement themes, with resume-like attachments and body text to trick victims.
- The malware payload was packed as a Go-based executable disguised as a Word document icon and decrypted in memory when run.
- Vidar used anti-analysis features including obfuscated code, NtGlobalFlag checks, anti-VM checks, and anti-sandbox checks.
- It used Dead Drop Resolver via Telegram and Steam profile pages to fetch the real C&C server address, with a hard-coded marker string.
- Vidar exfiltrated browser data, cookies, history, credentials, Discord/Telegram/Steam tokens, Azure data, screenshots, and cryptocurrency-related files.
MITRE Techniques
- [T1027] Obfuscated Files or Information – The samples used obfuscated code and data to hinder analysis (‘obfuscated code and data designed to hinder analysis’).
- [T1497.001] Virtualization/Sandbox Evasion: System Checks – Vidar checked CPU, RAM, disk usage, usernames, and computer names to detect sandboxes or virtual environments (‘anti-VM techniques that monitor CPU, RAM, and disk usage’).
- [T1622] Debugger Evasion – The malware used NtGlobalFlag checks to avoid debugging analysis (‘anti-debugging techniques such as NtGlobalFlag checks’).
- [T1102.001] Web Service: Dead Drop Resolver – Vidar retrieved its C&C address from Telegram and Steam profile pages (‘Vidar then accesses those profile pages to retrieve the actual C&C server address’).
- [T1105] Ingress Tool Transfer – The malware downloaded additional payloads or commands from the C&C server (‘Loader Download and execute additional payloads or commands’).
- [T1056.001] Input Capture: Keylogging – No keylogging is explicitly described in the article, so this technique is not mentioned.
- [T1119] Automated Collection – Vidar automatically collected browser data, wallet files, screenshots, and other targeted files (‘the malware collects information based on this’).
- [T1005] Data from Local System – It stole files from local paths such as browser databases, wallet paths, and application data (‘List of File Paths Targeted for Theft’).
- [T1025] Data from Removable Media – Not mentioned in the article.
- [T1041] Exfiltration Over C2 Channel – Stolen data was transmitted back to the C&C server (‘Transmission of the “information.Txt” file’).
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Vidar targeted saved logins and related browser credential stores (‘Chromium-based saved logins’).
- [T1539] Steal Web Session Cookie – The malware collected browser cookies (‘Cookies Information Theft of web browser cookie information’).
- [T1003] OS Credential Dumping – The article describes credential theft from FTP clients and browser stores (‘passwords.Txt’, which contains credentials for FileZilla and WinSCP FTP clients).
- [T1113] Screen Capture – Vidar exfiltrated screenshots (‘screenshot.Jpg, a screenshot file’).
Indicators of Compromise
- [MD5 Hash] malware samples – 0b8af4afd26175ba818c0fdb4622bf14, 1bbf1e83eea55e70d59f0d633789011e, and 3 more hashes
- [IP Address] C&C / infrastructure – 107.189.24.190
- [URL] C&C-related / profile pages – http://107.189.24.190/, https://steamcommunity.com/profiles/76561198694626397, and 3 more URLs
- [FQDN] related domains seen in the campaign – ctl.it-bd.com, frr.ambil-disini.web.id, and 3 more domains
- [File Names] phishing attachments / stolen files – Job_Application_I_Will_Work_Diligently_June_4,_26.Exe, 260511 Summary of Copyright Provisions and Infringement Details (Images, Icons, UI, etc).Exe, information.Txt, passwords.Txt, screenshot.Jpg
- [Telegram / Steam Profile Pages] DDR source locations for C&C – Telegram and Steam profile pages used to hide the server address
Read more: https://asec.ahnlab.com/en/94363/