Find notable cyber news and cases, enriched with sources, timelines, and signals.

Vidar infostealer market rise and distribution expansion

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 2 articles

Summary

Hide ▲

Vidar remains a long-running infostealer threat, and Aryaka reported a fresh campaign in recent weeks that adds new obfuscation techniques and stronger stealth and persistence. The malware uses a PowerShell infection chain, the custom Download-Reliable() function, encrypted C2 channels, LOLBins, Windows Defender exception abuse, AMSI bypass attempts, and a scheduled task at user logon to stay hidden on Windows machines. It also uses a TLS-encrypted exfiltration server to steal credentials, cookies, authentication tokens, and other sensitive data from compromised environments.

Related Happenings

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...

Windows cryptocurrency clipper malware using USB LNK worming and Tor C2

Malware Activity
H score29 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...

Vidar infostealer delivered through TikTok and Instagram Reels

Malware Activity
H score27 First: 10.06.2026 19:00 Last: 10.06.2026 19:00 Sources 1

About this happening: Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...

TikTok and Instagram Reels Vidar social-engineering campaign

Campaign
H score37 First: 10.06.2026 19:00 Last: 10.06.2026 19:00 Sources 1

About this happening: A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...

Timeline

  1. 28.04.2026 22:07 2 articles · 2mo ago

    Intrinsec describes Vidar's rise on Russian Market

    Initial Disclosure

    Intrinsec describes Vidar as the most used infostealer on Russian Market since November 2025 after law enforcement disrupted Lumma in May 2025 and Rhadamanthys in November 2025; the malware's operators expanded distribution, used Telegram 'Cloud' channels to advertise stolen logs, and hid command-and-communications details with dead drop resolvers while stealing browser passwords, cookies, session tokens, wallet data, screenshots, email data, and local files from users and corporate networks.

    Show sources
  2. 11.09.2025 19:23 1 articles · 10mo ago

    Aryaka reports fresh Vidar campaign with new evasion and persistence

    Technical Analysis Update

    Aryaka reported a fresh Vidar infostealer campaign on Windows machines that uses a PowerShell infection chain, the custom Download-Reliable() function, encrypted command-and-control (C2) channels, LOLBins, Windows Defender exception abuse, AMSI bypass attempts, and a scheduled task for user logon to improve stealth and persistence while exfiltrating data through a TLS-encrypted C2 server.

    Show sources