Safety researchers are warning that Vidar Stealer infections are prone to enhance after the malware developer launched a brand new main model with upgraded capabilities.
In line with an announcement from the developer this month, Vidar 2.0 has been rewritten in C, helps multi-threading information stealing, bypasses Chrome’s app-bound encryption, and options extra superior evasion mechanisms.
Infostealer malware specializes in stealing information from browsers and different apps, together with passwords, bank card data, and cryptocurrency pockets data.
Supply: Pattern Micro
The discharge of Vidar 2.0 comes at a time when Lumma Stealer, one other main participant within the discipline, has proven a speedy decline in exercise, following a doxing marketing campaign towards its key operators.
Vidar 2.0 targets a broad vary of information, together with browser cookies and autofill, cryptocurrency pockets extensions and desktop apps, cloud credentials, Steam accounts, Telegram, and Discord information.
Supply: Pattern Micro
In line with a report from Pattern Micro researchers, Vidar exercise has spiked for the reason that launch of its second main model, which comes with the next highlights:
- Full rewrite from C++ to C, now counting on fewer dependencies and having higher uncooked efficiency at a a lot smaller footprint.
- Multi-thread CPU assist the place data-stealing employee threads are spawned concurrently to parallelize assortment and cut back dwell time.
- Intensive anti-analysis checks, together with debugger detection, timing checks, uptime, and {hardware} profiling.
- Builder provides polymorphism choices with heavy control-flow flattening and numeric state-machine swap constructs, making static detection harder.
- Evasion of Chrome’s App-Certain encryption safety by the use of reminiscence injection strategies.
“The malware additionally employs a complicated method that launches browsers with debugging enabled and injects malicious code instantly into operating browser processes utilizing both shellcode or reflective DLL injection,” explains Pattern Micro.
“The injected payload extracts encryption keys instantly from browser reminiscence, then communicates the stolen keys again to the principle malware course of through named pipes to keep away from disk artifacts.”
“This method can bypass Chrome’s AppBound encryption protections by stealing keys from lively reminiscence moderately than making an attempt to decrypt them from storage.”
Supply: Pattern Micro
Chrome’s AppBound encryption, launched in July 2024, has been bypassed by a number of info-stealer malware households over time.
As soon as Vidar 2.0 collects all the information it may entry on the contaminated machine, it captures screenshots, packages every part, and sends it to supply factors that embody Telegram bots and URLs saved on Steam profiles.
Pattern Micro researchers count on Vidar 2.0 to turn into extra prevalent in campaigns via This autumn 2025 because the “malware’s technical capabilities, confirmed developer monitor file since 2018, and aggressive pricing place it as a probable successor to Lumma Stealer’s dominant market place.”
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.