Vidar infostealer market rise and distribution expansion
Malware Activity
Summary
Hide ▲
Show ▼
Vidar remains a long-running infostealer threat, and Aryaka reported a fresh campaign in recent weeks that adds new obfuscation techniques and stronger stealth and persistence. The malware uses a PowerShell infection chain, the custom Download-Reliable() function, encrypted C2 channels, LOLBins, Windows Defender exception abuse, AMSI bypass attempts, and a scheduled task at user logon to stay hidden on Windows machines. It also uses a TLS-encrypted exfiltration server to steal credentials, cookies, authentication tokens, and other sensitive data from compromised environments.
Related Happenings
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Vidar infostealer delivered through TikTok and Instagram Reels
Malware Activity
H score27
First: 10.06.2026 19:00
Last: 10.06.2026 19:00
Sources 1
About this happening:
Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...
Vidar infostealer delivered through TikTok and Instagram Reels
Malware ActivityAbout this happening: Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...
TikTok and Instagram Reels Vidar social-engineering campaign
Campaign
H score37
First: 10.06.2026 19:00
Last: 10.06.2026 19:00
Sources 1
About this happening:
A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...
TikTok and Instagram Reels Vidar social-engineering campaign
CampaignAbout this happening: A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Timeline
-
28.04.2026 22:07 2 articles · 2mo ago
Intrinsec describes Vidar's rise on Russian Market
Initial DisclosureIntrinsec describes Vidar as the most used infostealer on Russian Market since November 2025 after law enforcement disrupted Lumma in May 2025 and Rhadamanthys in November 2025; the malware's operators expanded distribution, used Telegram 'Cloud' channels to advertise stolen logs, and hid command-and-communications details with dead drop resolvers while stealing browser passwords, cookies, session tokens, wallet data, screenshots, email data, and local files from users and corporate networks.
Show sources
- Vidar Rises to Top of Chaotic Infostealer Market — www.darkreading.com — 28.04.2026 22:07
- Vidar Rises to Top of Chaotic Infostealer Market — www.darkreading.com — 28.04.2026 22:07
-
11.09.2025 19:23 1 articles · 10mo ago
Aryaka reports fresh Vidar campaign with new evasion and persistence
Technical Analysis UpdateAryaka reported a fresh Vidar infostealer campaign on Windows machines that uses a PowerShell infection chain, the custom Download-Reliable() function, encrypted command-and-control (C2) channels, LOLBins, Windows Defender exception abuse, AMSI bypass attempts, and a scheduled task for user logon to improve stealth and persistence while exfiltrating data through a TLS-encrypted C2 server.
Show sources
- Vidar Infostealer Back With a Vengeance — www.darkreading.com — 11.09.2025 19:23