Overview
Vidar is a C++-based infostealer that emerged in October 2018 as a fork of the Arkei stealer. It was initially sold on Russian-language underground forums by a threat actor using the handle “Loadbaks.” Vidar distinguishes itself from other infostealers through its use of dead-drop resolvers, leveraging legitimate platforms such as Telegram channels, Steam user profiles, and Mastodon accounts to store encoded C2 server addresses. This technique makes initial C2 communication harder to block because the first network request goes to a trusted, high-reputation domain. Despite being one of the older active infostealers, Vidar remains widely used due to its reliability, affordable pricing, and consistent maintenance.
Capabilities
Vidar’s theft capabilities are configured server-side through its C2 panel, allowing operators to selectively enable or disable modules per campaign. Core modules include browser data extraction (credentials, cookies, autofill, history, and credit cards) from Chromium and Gecko browsers, cryptocurrency wallet theft targeting both browser extensions and desktop applications, collection of two-factor authentication data from applications like Authy, and harvesting of FTP, email, and instant messaging credentials. Vidar also captures system fingerprinting data including screenshots, hardware information, installed software, and running processes. It downloads required DLL dependencies (such as sqlite3.dll and freebl3.dll) from its C2 server at runtime, which is a distinctive behavioral indicator. Stolen data is compressed into a ZIP archive before exfiltration via HTTP POST.
Distribution Methods
Vidar is distributed through a variety of channels. It is a frequent payload in malvertising campaigns, particularly those abusing Google Ads to serve fake software download pages for tools like AnyDesk, Notepad++, and Blender. Vidar is commonly delivered through the Fallout and RIG exploit kits, making it a recurring threat in drive-by download scenarios. It also spreads through phishing emails, trojanized software installers on pirated software sites, ISO and VHD file attachments, and as a secondary payload dropped by loaders like PrivateLoader and SmokeLoader. In 2023-2024, Vidar was observed leveraging malicious OneNote attachments and PDF lures.
Notable Campaigns
In early 2023, Vidar operators conducted a massive malvertising blitz, simultaneously impersonating dozens of software brands through Google Ads. The landing pages used sophisticated cloaking to evade automated scanning while serving malware to real users. Throughout 2023 and 2024, Vidar was consistently among the top payloads delivered by the PrivateLoader pay-per-install service, indicating sustained demand from cybercriminals. In mid-2024, researchers documented Vidar campaigns using compromised e-commerce sites to host payloads, combining watering hole and social engineering tactics. Vidar logs remain a staple on dark web credential marketplaces, with millions of stolen records attributed to this family.
Detection & Mitigation
A reliable behavioral indicator for Vidar is the runtime downloading of legitimate DLLs (sqlite3.dll, vcruntime140.dll, freebl3.dll) from C2 infrastructure prior to data theft. Network monitoring should flag HTTP requests to recently registered domains that return PE files or DLLs followed by outbound ZIP file uploads. Defenders should also monitor for processes accessing Telegram API endpoints or Steam profile pages in non-browser contexts, as this may indicate dead-drop resolver activity. YARA rules can target Vidar’s characteristic ZIP archive construction routines and configuration parsing patterns. Mitigation measures include restricting outbound connections from non-browser processes to social media platforms, deploying DNS filtering to block known Vidar C2 domains, enforcing application control policies, and ensuring endpoint protection has behavioral detection rules for bulk credential database access.