CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Vidar 2.0 Infostealer Emerges as Lumma Stealer Declines

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

Vidar 2.0 has expanded its operations through malvertising campaigns leveraging fake game cheats distributed on GitHub and Reddit. Hundreds of GitHub repositories are being used to deliver the infostealer, with Reddit posts promoting Counter-Strike 2 cheats that redirect to malicious sites. The campaigns employ sophisticated loaders with PowerShell scripts and obfuscated AutoIt payloads, alongside advanced evasion techniques such as Defender exclusions, Themida packing, and Telegram/Steam dead-drop C2 resolvers. The infostealer, first announced on October 6, 2025, by developer "Loadbaks," has evolved into a stealthier and more powerful threat with multithreaded execution, polymorphic builds, and advanced anti-analysis features. Its rising adoption follows law enforcement disruption of rival infostealers Lumma and Rhadamanthys, reshaping the infostealer landscape.

Timeline

  1. 23.10.2025 13:00 2 articles · 4mo ago

    Vidar 2.0 Infostealer Released with Enhanced Capabilities

    On October 6, 2025, a new version of the Vidar infostealer, dubbed Vidar 2.0, was announced. This upgrade features a multithreaded architecture for faster data exfiltration, a complete rewrite in C for increased stability, and advanced evasion techniques. The release coincides with the decline of Lumma Stealer, which has been disrupted by law enforcement operations and doxxing campaigns. Security teams should anticipate increased prevalence of Vidar 2.0 in cybercriminal campaigns through Q4 2025. New evidence from March 2026 reveals Vidar 2.0 is now being delivered via malvertising campaigns using fake game cheats distributed on GitHub repositories and Reddit posts. Hundreds of malicious repositories (potentially thousands) target virtually every major online game title, while Reddit posts promote Counter-Strike 2 cheats redirecting to malicious websites. The campaigns employ PowerShell loaders (e.g., TempSpoofer.exe, Monotone.exe, CFXBypass.exe) compiled via PS2EXE to bypass basic detections, establish Windows Defender exclusions, and deliver Themida-packed Vidar 2.0 executables (background.exe). The Reddit-delivered campaign uses obfuscated scripts (Perfume.mdb) and AutoIt payloads to assemble and execute Vidar 2.0. Stolen data is exfiltrated to C2 servers hidden via Telegram bots and Steam dead-drop resolvers (e.g., hxxps://telegram[.]me/bul33bt, hxxps://steamcommunity[.]com/profiles/76561198765046918). The same C2 infrastructure is used across both campaigns, suggesting a single threat actor or group is responsible. Vidar 2.0's operational expansion follows the decline of Lumma and Rhadamanthys due to law enforcement actions, demonstrating how the infostealer landscape adapts to enforcement disruption.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords. Additionally, fake OpenClaw installers hosted on GitHub and promoted by Bing AI instructed users to run commands that deployed information stealers and proxy malware. Threat actors set up malicious GitHub repositories posing as OpenClaw installers, which were recommended by Bing in its AI-powered search results. The malicious repositories contained shell scripts paired with Mach-O executables identified as Atomic Stealer malware for macOS users. For Windows users, the threat actor delivered OpenClaw_x64.exe, which deployed multiple malicious executables, including Rust-based malware loaders and Vidar stealer. Another Windows executable delivered was the GhostSocks backconnect proxy malware, designed to convert users' machines into proxy nodes.

Open in new tab

pkr_mtsi Malware Loader Distributes Diverse Payloads via Malvertising and SEO Poisoning

A versatile Windows packer named pkr_mtsi has been identified as a malware loader used in large-scale malvertising and SEO-poisoning campaigns. First observed on April 24, 2025, it delivers various payloads including Oyster, Vidar, Vanguard Stealer, and Supper. The loader disguises itself as legitimate software installers and leverages fake download sites for distribution. The malware has evolved over the past eight months, incorporating heavier obfuscation, hashed API resolution, and anti-analysis techniques. Despite these changes, its structure provides durable detection opportunities, including predictable errors from invalid protection flags. ReversingLabs (RL) has released a YARA rule to detect all known variants, highlighting the packer's staged architecture and alternate execution paths for DFIR practitioners.

Open in new tab

ErrTraffic Service Enables Automated ClickFix Attacks via Fake Browser Glitches

A new cybercrime tool called ErrTraffic automates ClickFix attacks by generating fake browser glitches on compromised websites to trick users into downloading malware or following malicious instructions. The service promises high conversion rates and delivers architecture-specific payloads. ClickFix attacks have gained popularity among cybercriminals and state-sponsored actors for bypassing security controls. ErrTraffic is sold for a one-time purchase of $800 and offers a user-friendly panel for campaign management. It modifies the DOM of compromised websites to display visual glitches, prompting victims to execute malicious commands. Payloads include Lumma and Vidar info-stealers on Windows, Cerberus trojan on Android, AMOS stealer on macOS, and unspecified Linux backdoors.

Open in new tab