Vidar Malware Campaign Targets Login Credentials, Session Cookies, and Wallet Files

Threat actors are deploying a sophisticated multi-stage infection chain to deliver the notorious Vidar information stealer. Discovered during proactive threat-hunting activities, this new campaign relies on legitimate Windows scripting languages and heavily obfuscated loader mechanisms.

By abusing AutoIt and masquerading files, attackers can successfully siphon passwords, cookies, and cryptocurrency wallets while remaining virtually invisible to traditional security controls.

First emerging in 2018 from the source code of the Arkei stealer, Vidar has become a prominent threat in the cybercrime ecosystem. Its ability to rapidly extract highly sensitive user data makes it a favorite among financial threat actors and initial access brokers.

Vidar Malware Campaign Targets Login Credentials

The attack begins when a user executes a compromised version of Microsoft Toolkit, a popular but unauthorized software activation utility. Because users expect such hack tools to flag antivirus warnings, they frequently ignore or bypass security alerts, making it an ideal Trojan horse.

Once launched, the malicious MicrosoftToolkit.exe avoids traditional exploit-based delivery. Instead, it spawns a standard command shell to kick off a covert, file-based staging process directly within the user space.

To bypass basic file-type security controls, the malware leverages extension masquerading. It drops a disguised container file, initially named swingers.dot, and renames it to a .bat executable script. This simple but effective switch allows embedded commands to run without triggering static analysis alarms.

Before dropping its true payload, the script actively enumerates the environment. It uses standard Windows tools such as tasklist and findstr to identify running processes, looking for security software that might disrupt its deployment, as reported by LevelBlue.

After clearing the path, the script uses extract32.exe to pull additional components from the disguised .dot containers. This extraction reveals two critical files: an AutoIt-compiled loader named Replies.scr and an external, encrypted payload file labeled D.

Because AutoIt is a legitimate Windows automation language, the malicious loader blends in seamlessly with standard administrative tasks. The loader serves solely as a delivery mechanism, loading the encrypted payload into memory for decryption and execution.

This builder-style architecture means the initial executable is practically harmless on its own, only revealing its malicious intent when combined with the external file.

Before connecting to its command-and-control (C2) servers, the malware ensures nobody is watching. It uses API calls like ZwQueryInformationProcess to detect debuggers or endpoint detection and response (EDR) instrumentation callbacks. If it senses an analysis environment, it alters its execution to remain hidden.

Once it feels secure, the malware uses the WinINet API to reach out to external servers and retrieve configuration data. Interestingly, it abuses legitimate public platforms to hide its beaconing activity:

• Constructs HTTP GET requests targeting a specific Telegram profile.
• Polls a designated Steam Community profile to retrieve staging information.
• Performs DNS resolution for dynamic infrastructure via the domain gz[.]technicalprorj[.]xyz.

These connections confirm the deployment of the Vidar stealer, paving the way for the immediate exfiltration of browser data and system credentials.

One of the most dangerous aspects of this campaign is its meticulous post-execution cleanup. After successfully launching the stealer, the original Microsoft Toolkit executable systematically destroys all evidence of the initial infection.

The malware traverses a linked list of the dropped .dot payload files, resetting their attributes before deleting them from the disk. It frees all associated memory structures, scrubs execution artifacts, and eventually terminates its own process using RtlExitUserProcess.

This thorough digital hygiene significantly reduces the on-disk footprint, complicating forensic investigations and hindering traditional incident response efforts.

IOCs

IOC	IOC type	Description
fc27479ff929d846e7c5c5d147479c81e483a2ec911bd1501a53aa646a29620d	SHA-256	MicrosoftToolkit.exe
d4fe9f48178cdf375a3be30d17f1dc016b5861dff8683f0bb35a0ba8d44f892f	SHA-256	swingers.dot.bat
978ad86c90d85b74947bb627ec24f8bcd26812b500e82f5af202160506ac29c6	SHA-256	Beds.dot
881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb	SHA-256	replies.scr
968ecf51c442ec0ff91f91689ac524e7e8e9eab0c1a2a65cf13e54cf95194efe	SHA-256	D (payload file)
149.154.167[.]99	IP Address	Vidar-associated C2 IP
telegram[.]me	Domain Name	C2 domain
gz[.]technicalprorj[.]xyz	Domain Name	Vidar-associated C2 domain

MITRE ATT&CK Mapping

Tactic	Techniques / Sub-Techniques	Summary
TA0001 – Initial Access	T1204.002 – User Execution: Malicious File	User downloaded and executed microsofttoolkit.exe (hacktool), serving as the initial entry point into the system
TA0002 – Execution	T1204.002 – User Execution: Malicious File	User executed microsofttoolkit.exe, initiating the infection under the assumption of legitimate software activation
TA0002 – Execution	T1059.003 – Command and Scripting Interpreter: Windows Command Shell	Batch/script-based execution used to stage further activity
TA0002 – Execution	T1027 – Obfuscated/Compressed Files	Payload staged via compressed or embedded format using extract32.exe
TA0002 – Execution	T1140 – Deobfuscate/Decode Files or Information	Extraction process used to unpack the next-stage payload
TA0002 – Execution	T1059 – Command and Scripting Interpreter	AutoIt-based loader executed via script-like behavior
TA0002 – Execution	T1218 – Signed Binary Proxy Execution	.scr (AutoIt compiled binary) used as a loader to execute malicious logic
TA0005 – Defense Evasion	T1036 – Masquerading	A .dot file was renamed to .bat to bypass basic file-type restrictions
TA0005 – Defense Evasion	T1562.001 – Disable or Modify Security Tools	taskkill.exe used to terminate security-related processes
TA0005 – Defense Evasion	T1059.003 – Command Shell	findstr.exe leveraged for filtering and identifying security processes
TA0005 – Defense Evasion	T1070.004 – Indicator Removal on Host: File Deletion	Malware deleted dropped files to remove evidence
TA0005 – Defense Evasion	T1489 – Service Stop	Processes terminated to reduce forensic artifacts and evade detection
TA0011 – Command and Control	T1071.001 – Application Layer Protocol: Web Protocols	Malware communicated with C2 over HTTP/HTTPS
TA0011 – Command and Control	T1573 – Encrypted Channel	Encrypted communication used to evade detection
TA0010 – Exfiltration	T1041 – Exfiltration Over C2 Channel	Stolen data (credentials, browser data) exfiltrated via C2 channel

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Vidar Malware Campaign Targets Login Credentials, Session Cookies, and Wallet Files appeared first on Cyber Security News.