Vidar Infostealer Being Spread through Phishing Emails
Vidar, a C++-based MaaS infostealer active since 2018, is being distributed via phishing emails disguised as resumes and copyright infringement notices targeting Korean users. The malware uses a Go-based packer to evade detection and employs a Dead Drop Resolver technique via Telegram and Steam profile pages to retrieve C&C server addresses. Once executed, Vidar exfiltrates browser credentials, cryptocurrency wallets, Discord/Telegram/Steam data, Azure tokens, FTP credentials, and screenshots, with anti-debugging and anti-VM techniques to hinder analysis.
- domainctl[.]it-bd[.]comFQDN used as C&C server by Vidar infostealer
- domainfrr[.]ambil-disini[.]web[.]idFQDN used as C&C server by Vidar infostealer
- domaingor[.]emiraride[.]comFQDN used as C&C server by Vidar infostealer
- domaingre[.]syslicense[.]netFQDN used as C&C server by Vidar infostealer
- domainlat[.]sodstreams[.]comFQDN used as C&C server by Vidar infostealer
- ip107[.]189[.]24[.]190C&C server IP address used by Vidar for initial communication and data exfiltration
- md50b8af4afd26175ba818c0fdb4622bf14MD5 hash of a Vidar phishing email attachment executable
- md51bbf1e83eea55e70d59f0d633789011eMD5 hash of a Vidar phishing email attachment executable
- md52fba9ec34fdf4b1584dd9c69b9ec9393MD5 hash of a Vidar phishing email attachment executable
- md54e885b1a0c1d0636e940b4af20fdc8dbMD5 hash of a Vidar phishing email attachment executable
- md5536dd0b0f6dff75dc01869df9809df61MD5 hash of a Vidar phishing email attachment executable
- urlhxxp://107[.]189[.]24[.]190/C&C server URL contacted by Vidar after retrieving the address from DDR infrastructure
- urlhxxps://steamcommunity[.]com/profiles/76561198694626397Steam profile page used as Dead Drop Resolver to host Vidar C&C server address
- urlhxxps://steamcommunity[.]com/profiles/76561198698223785Steam profile page used as Dead Drop Resolver to host Vidar C&C server address
- urlhxxps://steamcommunity[.]com/profiles/76561198703616215Steam profile page used as Dead Drop Resolver to host Vidar C&C server address
- urlhxxps://steamcommunity[.]com/profiles/76561198706525776Steam profile page used as Dead Drop Resolver to host Vidar C&C server address
Detection / Hunteropenrouter
What Happened
A type of malicious software called Vidar, which specializes in stealing sensitive information from infected computers, is being spread through fake email attachments disguised as job applications and copyright infringement notices. When a user opens the attached file thinking it is a legitimate document, the malware secretly activates and begins stealing saved passwords, browser cookies, cryptocurrency wallet files, Discord and Telegram data, and other sensitive information. The attackers are cleverly hiding the addresses of their command servers on legitimate platforms like Telegram and Steam profile pages to avoid detection. People and organizations in Korea are the primary targets. Users should be extremely cautious with email attachments and executable files from unknown sources, and should ensure their antivirus software is up to date.
Key Takeaways
- Vidar infostealer is being actively distributed via phishing emails disguised as job applications and copyright infringement notices, primarily targeting Korean users in H1 2026.
- The malware uses a Go-based packer to decrypt and execute the real Vidar payload in memory, with the binary disguised using a Word document icon.
- Vidar employs a Dead Drop Resolver (DDR) technique by embedding C&C addresses on Telegram and Steam profile pages, using the marker string 'ar3k0' to identify the C&C address.
- The stealer exfiltrates a wide range of data including browser credentials/cookies, cryptocurrency wallets, Discord tokens, Telegram data, Steam config, Azure tokens, FTP client credentials, and screenshots.
- Anti-analysis techniques include NtGlobalFlag anti-debugging checks, CPU/RAM/disk-based anti-VM, and username/computer name-based anti-sandbox checks.
Affected Systems
- Windows systems (general)
- Chromium-based web browsers (Chrome, etc.)
- Firefox-based web browsers
- FileZilla FTP client
- WinSCP FTP client
- Discord desktop client
- Telegram Desktop
- Steam client
- Azure CLI / Azure SDK configurations
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Phishing email with attachment disguised as resume or copyright infringement document is sent to target
- Execution: Victim executes the Go-packed binary disguised with a Word document icon; packer decrypts and executes Vidar in memory
- Defense Evasion: Vidar performs anti-debugging (NtGlobalFlag), anti-VM (CPU/RAM/disk checks), and anti-sandbox (username/computer name checks) before proceeding
- C2 Resolution: Vidar uses Dead Drop Resolver technique by accessing Telegram profile page first, then Steam profile page as fallback, searching for C&C address between 'ar3k0' marker and delimiter
- C2 Communication: Vidar authenticates with C&C server by transmitting hwid, format, and build_id; receives JSON configuration with theft targets and token for subsequent communications
- Collection & Exfiltration: Vidar downloads additional configuration via mode-based requests, then collects and exfiltrates browser credentials, cookies, history, cryptocurrency wallets, Discord tokens, Telegram data, Steam config, Azure tokens, FTP credentials, and screenshots to C&C server
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide any detection rules, queries, or signatures. It references AhnLab TIP for access to related IOCs and detailed analysis.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | The Go-based packer executing Vidar in memory may be partially visible to EDR via process creation and memory injection telemetry. However, the anti-analysis techniques and in-memory execution may reduce visibility into the actual payload behavior. |
| Network Visibility | High | Vidar's communication with Steam profile pages, Telegram, and the C&C server over HTTP/HTTPS provides clear network indicators. The DDR technique contacting Steam community profile pages is a distinctive network behavior that can be detected. |
| Detection Difficulty | Moderate | The use of legitimate platforms (Steam, Telegram) for DDR and HTTP/HTTPS for C2 communication blends with normal traffic. However, the specific Steam profile URLs, known C&C IPs/domains, and the pattern of a Go-packed executable disguised as a document provide viable detection paths. |
Required Log Sources
- EDR process creation and memory access logs
- Network proxy or firewall logs (HTTP/HTTPS traffic)
- DNS resolution logs
- Web browser security logs
- Email gateway logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes making outbound HTTP connections to Steam community profile pages shortly after execution, which may indicate a Dead Drop Resolver technique being used by infostealers like Vidar. | Network proxy logs, DNS logs, EDR network telemetry | C2 Resolution | Medium - legitimate users may access Steam community pages; correlate with suspicious process ancestry or recently executed attachments. |
| Consider hunting for executable files with Word document icons that spawn child processes or inject into memory, particularly those originating from email attachments with names containing 'job application' or 'copyright infringement' keywords. | EDR process creation logs, file reputation services, email gateway logs | Execution | Low - executable files disguised as documents with these naming patterns are highly suspicious. |
| Consider hunting for processes accessing multiple browser credential databases, cryptocurrency wallet files, and Discord/Telegram local storage in a short time window, which may indicate infostealer data collection activity. | EDR file access logs, Windows Event Logs, file integrity monitoring | Collection | Low to Medium - legitimate browser processes access these files; focus on unusual process ancestry or non-browser processes accessing these paths. |
| Consider hunting for network connections to the known C&C IP and FQDNs associated with Vidar, as well as HTTP POST requests transmitting files named 'information.Txt', 'passwords.Txt', or 'screenshot.Jpg'. | Network firewall logs, proxy logs, IDS/IPS alerts | Exfiltration | Low - these specific indicators are strongly associated with Vidar activity. |
Control Gaps
- Network-based detection may miss C2 traffic if it blends with legitimate HTTPS traffic to known platforms like Steam and Telegram
- The Go-based packer's in-memory execution of Vidar may bypass traditional file-based AV scanning
- Email gateway filtering may not catch the phishing attachments if they use novel file hashes or social engineering lures tailored to the target organization
- Anti-VM and anti-sandbox techniques may prevent automated detonation environments from observing the full attack chain
Key Behavioral Indicators
- Executable files with Word document icons distributed via email with job application or copyright infringement themes
- Process accessing Steam community profile URLs (steamcommunity.com/profiles/) shortly after execution from a suspicious parent process
- Non-browser process accessing Chromium-based browser Login Data, Cookies, and Local State files
- Non-browser process accessing Firefox profile directories including logins.json, key4.db, and cookies.sqlite
- Process creating files named information.Txt, passwords.Txt, or screenshot.Jpg in temporary directories
- Network connections to the marker string 'ar3k0' being transmitted or C&C addresses on Telegram/Steam profile pages
- Go-compiled binary exhibiting infostealer behavior patterns (sequential file access to credential stores)
False Positive Assessment
Low to Medium - The known C&C IPs, domains, and MD5 hashes provide low false positive risk for network and host-based detections. However, behavioral detections based on Steam community profile access or browser credential file access may generate false positives from legitimate user activity, requiring careful correlation with process ancestry and execution context.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the known C&C IP (107.189.24.190) and FQDNs (ctl.it-bd.com, frr.ambil-disini.web.id, gor.emiraride.com, gre.syslicense.net, lat.sodstreams.com) on your firewall and proxy infrastructure.
- Consider adding the known MD5 hashes to your EDR and AV block lists, and hunt for any matches in your environment.
- If your email gateway supports it, consider creating filtering rules for attachments with filenames containing 'job application', 'copyright infringement', or 'resume' patterns with .exe extensions.
- Consider blocking or alerting on outbound connections to the identified Steam community profile URLs used as Dead Drop Resolvers, if your proxy or firewall policies allow.
Infrastructure Hardening
- Evaluate whether your network segmentation policies can restrict outbound traffic from workstations to known legitimate platforms like Steam community pages, if those are not business-relevant.
- Consider implementing TLS inspection for outbound HTTPS traffic to detect C2 communication disguised as legitimate platform access, if supported by your network infrastructure.
- If applicable, consider deploying application-aware firewall rules to detect and alert on HTTP POST requests transmitting files with names like 'information.Txt' or 'passwords.Txt'.
User Protection
- Consider ensuring all endpoints have updated anti-malware signatures and EDR agents running with the latest detection logic.
- If your organization uses FileZilla or WinSCP, consider evaluating whether credential storage in these FTP clients can be disabled or replaced with a managed credential vault.
- Consider deploying browser extension management policies to restrict unauthorized cryptocurrency wallet extensions, if applicable to your environment.
- Evaluate whether Discord, Telegram Desktop, and Steam client installations on corporate endpoints are necessary, and consider restricting their use if not business-required.
Security Awareness
- Consider incorporating this phishing campaign into existing security awareness training, highlighting that executable files can be disguised with document icons and naming conventions.
- Remind users to verify the file extension of email attachments before opening, and to be especially cautious of .exe files disguised as documents.
- Consider adding specific guidance about job application and copyright infringement themed phishing lures to your phishing reporting procedures.
- If your organization has a phishing reporting mechanism, consider reminding employees to report suspicious emails with resume or copyright-related attachments.
MITRE ATT&CK Mapping
Initial Access
Execution
Credential Access
Collection
Command and Control
Additional IOCs
- Urls:
hxxps://steamcommunity[.]com/profiles/76561198694626397- Steam profile page used as Dead Drop Resolver to host Vidar C&C server addresshxxps://steamcommunity[.]com/profiles/76561198698223785- Steam profile page used as Dead Drop Resolver to host Vidar C&C server addresshxxps://steamcommunity[.]com/profiles/76561198703616215- Steam profile page used as Dead Drop Resolver to host Vidar C&C server addresshxxps://steamcommunity[.]com/profiles/76561198706525776- Steam profile page used as Dead Drop Resolver to host Vidar C&C server address
- File Hashes:
4e885b1a0c1d0636e940b4af20fdc8db(MD5) - MD5 hash of a Vidar phishing email attachment executable536dd0b0f6dff75dc01869df9809df61(MD5) - MD5 hash of a Vidar phishing email attachment executable
- Other:
ar3k0- Marker string used by Vidar to identify the C&C server address embedded in Telegram and Steam profile pages; the address between this marker and a delimiter is extracted as the C&C server7dd16d1018865e5e817c418f87e6be00- Hard-coded build_id value embedded in Vidar binary, transmitted to C&C server during initial authentication1.9- Version information hard-coded into the Vidar binary