Safety researchers are warning that Vidar Stealer infections are more likely to enhance after the malware developer launched a brand new main model with upgraded capabilities.
In accordance with an announcement from the developer this month, Vidar 2.0 has been rewritten in C, helps multi-threading information stealing, bypasses Chrome’s app-bound encryption, and options extra superior evasion mechanisms.
Infostealer malware specializes in stealing information from browsers and different apps, together with passwords, bank card data, and cryptocurrency pockets data.
Supply: Pattern Micro
The discharge of Vidar 2.0 comes at a time when Lumma Stealer, one other main participant within the subject, has proven a fast decline in exercise, following a doxing marketing campaign towards its key operators.
Vidar 2.0 targets a broad vary of knowledge, together with browser cookies and autofill, cryptocurrency pockets extensions and desktop apps, cloud credentials, Steam accounts, Telegram, and Discord information.
Supply: Pattern Micro
In accordance with a report from Pattern Micro researchers, Vidar exercise has spiked for the reason that launch of its second main model, which comes with the next highlights:
- Full rewrite from C++ to C, now counting on fewer dependencies and having higher uncooked efficiency at a a lot smaller footprint.
- Multi-thread CPU help the place data-stealing employee threads are spawned concurrently to parallelize assortment and cut back dwell time.
- In depth anti-analysis checks, together with debugger detection, timing checks, uptime, and {hardware} profiling.
- Builder provides polymorphism choices with heavy control-flow flattening and numeric state-machine swap constructs, making static detection harder.
- Evasion of Chrome’s App-Certain encryption safety by way of reminiscence injection strategies.
“The malware additionally employs a complicated approach that launches browsers with debugging enabled and injects malicious code immediately into working browser processes utilizing both shellcode or reflective DLL injection,” explains Pattern Micro.
“The injected payload extracts encryption keys immediately from browser reminiscence, then communicates the stolen keys again to the primary malware course of by way of named pipes to keep away from disk artifacts.”
“This strategy can bypass Chrome’s AppBound encryption protections by stealing keys from lively reminiscence relatively than trying to decrypt them from storage.”
Supply: Pattern Micro
Chrome’s AppBound encryption, launched in July 2024, has been bypassed by a number of info-stealer malware households over time.
As soon as Vidar 2.0 collects all the information it might entry on the contaminated machine, it captures screenshots, packages all the pieces, and sends it to supply factors that embody Telegram bots and URLs saved on Steam profiles.
Pattern Micro researchers anticipate Vidar 2.0 to grow to be extra prevalent in campaigns by way of This autumn 2025 because the “malware’s technical capabilities, confirmed developer observe document since 2018, and aggressive pricing place it as a probable successor to Lumma Stealer’s dominant market place.”
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.
