Vidar

Malware updated 11 days ago (2024-10-07T16:01:15.958Z)
Download STIX
Preview STIX
Vidar is a malicious software (malware) that operates as an infostealer, primarily targeting Windows-based systems. It's written in C++ and is based on the Arkei stealer. Vidar is part of a broader landscape of malware threats such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Gozi, Canyon, Nokoyawa Ransomware, BlackBasta Ransomware, among others. While RedLine has been a popular choice for threat actors selling logs through 2easy, this marketplace also sells logs from Raccoon, Vidar, and AZORult. Vidar's distribution system has evolved over time, shifting from traditional spam campaigns and cracked software to malicious Google Search ads. Over the years, Vidar Stealer has been sold via a malware-as-a-service model through ads and forums on the dark web and Telegram groups. Users interacting with these malware-serving ads could unknowingly download and deploy harmful files onto their devices, including Rilide Stealer, Vidar Stealer, IceRAT (written in JPHP), and Nova Stealer. The analyzed campaigns employ malicious ads containing links to executable files serving Rilide, Vidar, IceRAT, and Nova Stealers. The purpose of certain .cmd XLSX files associated with Vidar remains unclear, but they appear to contain Facebook account names along with specific monetary information. The technical analysis of Vidar Stealer reveals its complex nature. For instance, the splash screen shown by Vidar infostealer installer impersonates Midjourney, as reported by ESET Threat Report H1 2024. Furthermore, memory snapshots from the analysis of Vidar Stealer samples, viewed in a hex editor, provide configuration information and C2 server details. The last two binaries hosted on the Bitbucket repository, as per automated analysis, were identified as Vidar Stealer. This underscores the ongoing threat posed by Vidar and the need for robust cybersecurity measures.
Description last updated: 2024-10-07T15:18:38.081Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Arkei Stealer is a possible alias for Vidar. The Arkei Stealer is a type of malware, specifically designed to infiltrate and exploit computer systems. This malicious software, written in C++, first emerged in May 2018 and has since been forked or rebranded several times. The malware can infect a system through various means such as suspicious
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Infostealer
Ransomware
Exploit
Maas
Payload
Cobalt Strike
Phishing
Youtube
1password
Malware Loader
Telegram
Cybercrime
Scams
Credentials
Dropper
Android
Github
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Redline Malware is associated with Vidar. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, RedLine can steal personal information, disrupt operations, or deliver further Unspecified
12
The Raccoon Malware is associated with Vidar. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $Unspecified
7
The Batloader Malware is associated with Vidar. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personalUnspecified
3
The Lummac2 Malware is associated with Vidar. LummaC2 is a dynamic malware strain, first identified in Russian-speaking forums in 2022. It's written in C and distributed as Malware-as-a-Service (MaaS). The malware has been actively exploiting PowerShell commands to infiltrate systems and exfiltrate sensitive data. In 2023, LummaC2's use expandeUnspecified
3
The Risepro Malware is associated with Vidar. RisePro is a type of malware, specifically an info-stealer, designed to infiltrate and damage computer systems. It operates by exploiting vulnerabilities in a device, often through suspicious downloads, emails, or websites, typically without the user's knowledge. Once inside, RisePro can disrupt opeUnspecified
3
The Privateloader Malware is associated with Vidar. PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or websiteUnspecified
3
The Mars Malware is associated with Vidar. Mars is a malicious software (malware) that has been discovered by the Trend Micro Mobile Application Reputation Service (MARS) team. This malware, related to other known threats like Vidar and Redline, has been involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Andis related to
3
The Redline Stealer Malware is associated with Vidar. RedLine Stealer is a type of malware, or malicious software, that infiltrates computer systems with the intent to exploit and cause damage. It typically gains access through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside the system, it can steal personal iUnspecified
3
The Minodo Malware is associated with Vidar. Minodo is a type of malware, a harmful program designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hUnspecified
2
The Royal Ransomware Malware is associated with Vidar. The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious Unspecified
2
The Lumma Stealer Malware is associated with Vidar. Lumma Stealer is a highly sophisticated malware variant known for its extensive data-harvesting capabilities. It is designed to steal sensitive information such as passwords, card details, cryptocurrency wallets, and browser session cookies from infected devices. Lumma Stealer employs a DLL side-loaUnspecified
2
The Netsupport Malware is associated with Vidar. NetSupport is a legitimate remote access software that has been exploited as a malware tool by various threat actors. It's often used in combination with other malicious software like BlackBasta Ransomware, IcedID, and occasionally Lumma Stealer, the most common infostealer in the world today. The mUnspecified
2
The Systembc Malware is associated with Vidar. SystemBC is a type of malware that has been heavily used in cyber-attacks, often alongside other malicious software. It was observed being used with Quicksand and BlackBasta in 2023, during attacks attributed to a team deploying BlackBasta. The Play ransomware group also utilized SystemBC as part ofUnspecified
2
The Stealc Malware is associated with Vidar. StealC is a pernicious malware that specifically targets browser extensions and authenticators by password managers. It came to the forefront following a significant attack on the Solana blockchain in 2023, which resulted in a $7 million heist due to a related malware called Luca Stealer. The StealCUnspecified
2
The Diceloader Malware is associated with Vidar. Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal inUnspecified
2
The Raccoon Stealer Malware is associated with Vidar. Raccoon Stealer, a malware-as-a-service (MaaS) operation, emerged in 2019, designed by Russian-speaking developers to steal victims' sensitive data such as credit card information, email credentials, and cryptocurrency wallets. The malware was initially promoted exclusively on Russian-speaking hackiUnspecified
2
The Amos Malware is associated with Vidar. AMOS is a malicious software (malware) that specifically targets macOS users. This malware, first reported in early 2024, employs sophisticated techniques to infiltrate systems and steal sensitive information such as passwords, personal files, and crypto wallet details. The AMOS malware was part of is related to
2
The Atomic Macos Stealer Amos Malware is associated with Vidar. In April 2023, Cyble Research and Intelligence Labs (CRIL) discovered a new malware named Atomic macOS Stealer (AMOS) being advertised for sale on a Telegram channel. The malware was found to be part of a larger operation involving several other variants such as Vidar, Lumma, and Octo. These threat Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gandcrab Threat Actor is associated with Vidar. GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REvUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability Atomic Macos Stealer (Amos is associated with Vidar. Unspecified
2
Source Document References
Information about the Vidar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Bitdefender
11 days ago
ESET
3 months ago
Unit42
3 months ago
Fortinet
3 months ago
Recorded Future
3 months ago
ESET
3 months ago
ESET
4 months ago
DARKReading
4 months ago
DARKReading
4 months ago
Securityaffairs
5 months ago
Recorded Future
5 months ago
InfoSecurity-magazine
5 months ago
CERT-EU
a year ago
Flashpoint
9 months ago
InfoSecurity-magazine
6 months ago
Bitdefender
6 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
8 months ago
Recorded Future
8 months ago