Vidar Stealer

Overview

Vidar is an information-stealing malware that evolved from the Arkei stealer. It is sold as Malware-as-a-Service on Russian-speaking forums and is known for its modular design that allows operators to customize what data to steal. Vidar is frequently used as a first-stage payload before ransomware deployment.

Also Known As

Vidar, Vidar Infostealer

How It Spreads

• • Malicious email attachments (especially ISO and Office files)
• • Fake software download sites
• • SEO poisoning campaigns
• • Compromised software supply chains
• • Malicious ads on search engines

What It Does

• • Steals credentials from 60+ applications
• • Captures browser cookies and session data
• • Extracts 2FA authenticator secrets
• • Steals cryptocurrency wallets and extensions
• • Downloads configuration from C2 specifying targets
• • Self-destructs after exfiltration to avoid detection

Target Platforms

Windows 7, Windows 10, Windows 11

Detection Tips

• • Monitor for processes accessing 2FA application data
• • Alert on executables self-deleting after network activity
• • Detect unusual DLL sideloading in temp directories
• • Watch for connections to Steam profile pages (C2 technique)
• • Monitor browser extension directory access

MITRE ATT&CK Techniques

T1555, T1539, T1552, T1070.004, T1140