Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Vidar infostealer market rise and distribution expansion

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 2 articles

Summary

Hide ▲

Vidar remains a long-running infostealer threat, and Aryaka reported a fresh campaign in recent weeks that adds new obfuscation techniques and stronger stealth and persistence. The malware uses a PowerShell infection chain, the custom Download-Reliable() function, encrypted C2 channels, LOLBins, Windows Defender exception abuse, AMSI bypass attempts, and a scheduled task at user logon to stay hidden on Windows machines. It also uses a TLS-encrypted exfiltration server to steal credentials, cookies, authentication tokens, and other sensitive data from compromised environments.

Related Happenings

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

REMUS infostealer browser-session and password-manager collection expansion

Malware Activity
First: 15.05.2026 17:02 Last: 15.05.2026 17:02 Sources 1

About this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....

Open Happening

REMUS underground ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 15.05.2026 17:02 Last: 15.05.2026 17:02 Sources 1

About this happening: The **REMUS underground operation** is turning **REMUS** into a continuously updated **MaaS** product, increasing **operational scalability** and monetization risk across undergro...

Open Happening

AgingFly malware attacks local governments and hospitals in Ukraine

Malware Activity
First: 16.04.2026 00:57 Last: 16.04.2026 00:57 Sources 1

About this happening: The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

Timeline

  1. 28.04.2026 22:07 2 articles · 28d ago

    Intrinsec describes Vidar's rise on Russian Market

    Initial Disclosure

    Intrinsec describes Vidar as the most used infostealer on Russian Market since November 2025 after law enforcement disrupted Lumma in May 2025 and Rhadamanthys in November 2025; the malware's operators expanded distribution, used Telegram 'Cloud' channels to advertise stolen logs, and hid command-and-communications details with dead drop resolvers while stealing browser passwords, cookies, session tokens, wallet data, screenshots, email data, and local files from users and corporate networks.

    Show sources
    Open in new tab
  2. 11.09.2025 19:23 1 articles · 8mo ago

    Aryaka reports fresh Vidar campaign with new evasion and persistence

    Technical Analysis Update

    Aryaka reported a fresh Vidar infostealer campaign on Windows machines that uses a PowerShell infection chain, the custom Download-Reliable() function, encrypted command-and-control (C2) channels, LOLBins, Windows Defender exception abuse, AMSI bypass attempts, and a scheduled task for user logon to improve stealth and persistence while exfiltrating data through a TLS-encrypted C2 server.

    Show sources
    Open in new tab