CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Vidar Infostealer Campaigns Employ New Obfuscation Techniques

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

Vidar infostealer, active since 2018, has returned with enhanced stealth and persistence. This new campaign, identified by Aryaka, uses encrypted C2 channels, LOLBins, and covert exfiltration methods. Vidar spreads via phishing, malicious websites, and malvertising, targeting credentials, OS details, cookies, and financial data. The malware employs sophisticated evasion techniques, including PowerShell scripts, Windows Defender exceptions, and bypassing AMSI. It maintains persistence through scheduled tasks and hooks into the CryptProtectMemory API to access encrypted data. The C2 server uses TLS encryption for data exfiltration.

Timeline

  1. 11.09.2025 19:23 πŸ“° 1 articles Β· ⏱ 6d ago

    New Vidar Infostealer Campaign Identified

    A new campaign involving the Vidar infostealer has been identified, featuring enhanced stealth and persistence techniques. The malware uses encrypted C2 channels, LOLBins, and covert exfiltration methods. It spreads through phishing emails, malicious websites, and malvertising campaigns, targeting a wide range of sensitive data.

    Show sources

Information Snippets

  • Vidar infostealer, first tracked in late 2018, is a malware-as-a-service that steals credentials, OS details, cookies, financial data, and authentication tokens.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources
  • The latest Vidar campaign uses encrypted C2 channels, LOLBins, and covert exfiltration methods to enhance stealth and persistence.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources
  • Vidar spreads through phishing emails, malicious websites, and malvertising campaigns.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources
  • The infection chain begins with a PowerShell script that loads the Vidar binary and other components.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources
  • Vidar uses a custom PowerShell function to retrieve payloads stealthily, employing evasion techniques and error suppression.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources
  • The malware creates a scheduled task for user logon to maintain persistence and stealth.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources
  • Vidar hooks into the CryptProtectMemory API to access encrypted passwords in modern browsers.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources
  • The C2 server used for data exfiltration is TLS-encrypted.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources
  • Defenses against Vidar include enhanced process monitoring, network anomaly detection, and strict PowerShell execution policies.

    First reported: 11.09.2025 19:23
    πŸ“° 1 source, 1 article
    Show sources

Similar Happenings

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

New HybridPetya Ransomware Exploits UEFI Secure Boot Bypass Vulnerability

A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.