Acronis TRU identified hundreds of GitHub repositories and associated campaigns distributing Vidar Stealer 2.0 and other infostealers disguised as “free game cheats,” leveraging GitHub Pages, Pastebin, Discord and Reddit to deliver staged payloads to gamers. Vidar 2.0 — a C rewrite with polymorphic builds, multithreading, advanced obfuscation and Telegram/Steam-based C2 — enables broad credential, wallet and file theft and has surged following takedowns of Lummastealer and Rhadamanthys. #Vidar #GitHub
Keypoints
- Hundreds of GitHub Pages and associated landing sites are being abused to distribute malicious “free game cheats,” and the true scope may be in the thousands.
- Vidar Stealer 2.0 adoption increased after law-enforcement disruptions of Lummastealer and Rhadamanthys, filling a market demand for accessible infostealers.
- Typical delivery chain: fake GitHub landing page → Pastebin/GitHub hosted URL → compiled PowerShell loader (PS2EXE) → downloaded Themida-packed Vidar payload executed as background.exe with privilege elevation.
- Vidar 2.0 is a full C rewrite with an automatic morpher (polymorphic builds), multithreaded execution, extensive control‑flow obfuscation and multiple anti-analysis checks to evade detection and analysis.
- Capabilities include stealing browser credentials/cookies/autofill, Azure tokens, cryptocurrency wallets (e.g., Monero), FTP/SSH credentials, Telegram/Discord artifacts, local files and screenshots; C2 is hidden using Telegram bots and Steam profiles as dead-drop resolvers.
- Mitigations recommended: deploy modern EDR/behavioral detection, keep systems patched, restrict execution from atypical directories, apply least‑privilege controls and educate users to avoid unofficial downloads.
MITRE Techniques
- [T1204.002 ] User Execution: Malicious Link – Social‑engineering lures on Discord/Reddit and fake cheat pages entice users to download and run payloads (‘offer for a “free” cheating tool.’)
- [T1059.001 ] PowerShell – Initial loader uses PowerShell scripts compiled into .NET binaries via PS2EXE to execute the infection chain (‘executables are PowerShell scripts compiled into .NET binaries using the open-source PS2EXE module.’)
- [T1105 ] Ingress Tool Transfer – Secondary payloads and final binaries are retrieved from Pastebin and GitHub-hosted URLs (‘contacts a hard-coded Pastebin URL to retrieve a secondary GitHub-hosted payload URL.’)
- [T1053.005 ] Scheduled Task/Job – Persistence is created via a scheduled task that runs the payload at user logon (‘persistence is established through a scheduled task named “SystemBackgroundUpdate”‘)
- [T1562.001 ] Impair Defenses: Disable or Modify Tools – The loader adds Microsoft Defender exclusions for attacker-controlled directories to evade scanning (‘adds a Windows Defender exclusion for a specified attacker-controlled directory.’)
- [T1027 ] Obfuscated Files or Information – Vidar uses control‑flow flattening, junk padding and a polymorphic builder to evade static detection (‘control-flow obfuscation in every function… automatic morpher making each build different’)
- [T1055 ] Process Injection – Reflective DLL loading and remote-thread creation are used to inject code into browser processes for credential extraction (‘performs injection using Reflective DLL loading… load the image as a library… create a remote thread.’)
- [T1113 ] Screen Capture – GDI-based screen capture is used to take screenshots and save them locally for exfiltration (‘uses a GDI screen-capture technique… Screenshot will be saved as a “screenshot.jpg” file.’)
- [T1102 ] Web Service – Command-and-control and dead-drop resolvers abuse Telegram bots and Steam profiles to mask true C2 infrastructure (‘Vidar is known to abuse Telegram and Steam as dead drop resolver (DDR) to mask their C2 servers.’)
- [T1041 ] Exfiltration Over C2 Channel – Stolen data and logs are exfiltrated to remote C2 servers via the established channels (‘exfiltrates them in their command-and-control (C2) servers.’)
- [T1083 ] File and Directory Discovery – A recursive file grabber searches user folders and removable drives for target data and files (‘implements a directory-based file search routine that recursively searches for files from given folders.’)
- [T1555 ] Credentials from Password Stores – The stealer targets browser password stores, key4.db and other local credential stores to harvest saved logins and tokens (‘extracting browser credentials, cookies and autofill data… key4.db’)
- [T1497 ] Virtualization/Sandbox Evasion – Anti-analysis checks include debugger detection, timing checks and memory-based VM detection to avoid sandbox environments (‘advanced obfuscation, debugger detection, timing checks and VM detection hinder analysis.’)
Indicators of Compromise
- [File Hash ] Compiled loaders and Vidar payloads identified in the report – 2f416aac027f19f563cc45e3b4b72e992aaafb63da27f968b9a76a391134dc7d, b1cebd305c6aa27048a3673e70f8e1604735b2c06c83452d2935c330b5a3eb58, and 10 more hashes
- [C2 URLs / Domains ] Command-and-control and DDR endpoints used by Vidar – hxxps://telegram[.]me/bul33bt, hxxps://steamcommunity[.]com/profiles/76561198765046918, and other Telegram/Steam profile links
- [File Names ] Notable filenames used in delivery and execution – TempSpoofer.exe, background.exe
- [Hosted Landing Pages ] Distribution and staging platforms observed – malicious GitHub Pages landing repositories (fake cheat repos) and Pastebin URLs used to retrieve secondary payload locations