Published on May 10, 2026
Vidar Infostealer Campaign Uses Multi-Stage Infection Chain to Steal Sensitive Data
Severity
Medium
Researchers have identified a highly evasive malware campaign distributing the Vidar Infostealer, a credential-stealing malware family known for targeting passwords, browser cookies, cryptocurrency wallets, and system information.
Originally derived from the Arkei stealer source code, Vidar continues to evolve through the use of multi-stage infection techniques, anti-analysis mechanisms, and legitimate platforms to conceal malicious activity and avoid detection.
Recent analysis shows the campaign leveraging AutoIt scripting and trusted online services to support stealthy payload delivery and command-and-control (C2) communication.
How?
The infection chain begins when a victim executes MicrosoftToolkit.exe, a commonly abused software activation utility distributed through unofficial sources. Once launched, the malware initiates a staging process through command shell execution.
During execution, the malware renames disguised .dot files into batch scripts, allowing embedded commands to execute while bypassing basic detection mechanisms.
Before deploying the final payload, the malware performs reconnaissance by enumerating running processes using legitimate Windows utilities such as tasklist.exe and findstr.exe, likely to identify or interfere with active security tools.
The malware then extracts secondary payloads using extract32.exe, eventually loading an AutoIt-compiled binary named Replies.scr. This component functions as a loader that decrypts and executes the Vidar payload directly in memory.
To evade analysis, the malware performs anti-debugging and anti-EDR checks using Windows API functions such as ZwQueryInformationProcess, altering or halting execution when analysis environments are detected.
Once active, Vidar establishes outbound communication through WinINet APIs and retrieves configuration data from trusted public platforms, including Telegram and Steam Community pages. These services are abused as dead-drop resolvers, allowing the malware to blend malicious traffic with legitimate web activity.
The malware also uses public DNS services to resolve dynamic infrastructure before exfiltrating harvested credentials, browser data, cryptocurrency wallet information, and system details.
After completing data theft activities, the malware initiates a cleanup process by deleting dropped payload files, removing execution artifacts, freeing memory structures, and terminating its own process to reduce forensic visibility on the infected endpoint.
IOCs
| IOC | IOC type | Description |
| fc27479ff929d846e7c5c5d147479c81e483a2ec911bd1501a53aa646a29620d | SHA-256 | MicrosoftToolkit.exe |
| d4fe9f48178cdf375a3be30d17f1dc016b5861dff8683f0bb35a0ba8d44f892f | SHA-256 | swingers.dot.bat |
| 978ad86c90d85b74947bb627ec24f8bcd26812b500e82f5af202160506ac29c6 | SHA-256 | Beds.dot |
| 881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb | SHA-256 | replies.scr |
| 968ecf51c442ec0ff91f91689ac524e7e8e9eab0c1a2a65cf13e54cf95194efe | SHA-256 | D (payload file) |
| 149.154.167[.]99 | IP Address | Vidar-associated C2 IP |
| telegram[.]me | Domain Name | C2 domain |
| gz[.]technicalprorj[.]xyz | Domain Name | Vidar-associated C2 domain |
Recommendation
Organizations should take the following actions to reduce the risk associated with Vidar Infostealer infections:
- Avoid downloading software activation tools or executables from unofficial sources
- Monitor for suspicious execution of scripting and automation tools such as AutoIt
- Detect abnormal use of Windows utilities including tasklist.exe, findstr.exe, and extract32.exe
- Inspect outbound connections to trusted platforms that may be abused for malware communication
- Implement endpoint protection capable of detecting credential theft, process injection, and anti-analysis behavior
- Educate users about the risks associated with pirated software and unofficial installers
Source
https://gbhackers.com/vidar-infostealer-campaign-steals-passwords-cookies/