Published on April 27, 2026
New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials
Severity
Medium
Detail
A credential-stealing malware known as Vidar has emerged as one of the most active threats targeting corporate employees in early 2026. The campaign leverages fake software promoted through platforms like YouTube to trick users into installing malicious files, leading to widespread theft of credentials, browser data, and cryptocurrency wallet information.
Its rapid rise follows the disruption of other infostealers, positioning Vidar as a dominant tool in the cybercriminal ecosystem.
How?
The attack begins when a victim encounters a YouTube video advertising a fake software tool (e.g., NeoHub). The user is redirected through file-sharing platforms such as MediaFire, where they download a malicious archive disguised as legitimate software.
Inside the archive, the primary executable (NeoHub.exe) appears harmless but is designed to sideload a malicious DLL file named msedge_elf.dll. This file mimics a legitimate component of Microsoft Edge, increasing the likelihood of bypassing casual inspection. The DLL is often signed with counterfeit certificates impersonating trusted entities, adding another layer of deception.
Once executed, the malware deploys advanced obfuscation techniques, including a Go-based packer and control flow flattening, making analysis and detection difficult. It then uses a Dead Drop Resolver mechanism, retrieving its command-and-control (C2) server details dynamically from public sources like Telegram and Steam profiles instead of hardcoding them. This allows attackers to frequently rotate infrastructure without modifying the malware.
After establishing communication, Vidar begins harvesting sensitive data from multiple browsers, including Chrome, Firefox, Edge, Opera, and others. Stolen information includes saved passwords, cookies, credit card data, and cryptocurrency wallet files. The collected data is then exfiltrated and often sold on underground marketplaces such as Russian Market, enabling further attacks and unauthorized access to corporate systems.
Conclusion
This campaign highlights how threat actors combine social engineering with advanced evasion techniques to compromise corporate environments at scale.
Organizations should enforce strong user awareness around downloading software from untrusted sources, implement multi-factor authentication (MFA) across all critical accounts, and deploy network-level protections such as DNS filtering and sandboxing. Continuous monitoring for unusual outbound connections and credential misuse is essential to detect and contain infections early.
Source
https://cybersecuritynews.com/new-vidar-malware-uses-fake-youtube-software-downloads/