Vidar 2.0

many of the sites distributing these malicious "cheats" are hosted on GitHub Pages... attackers typically host only landing pages on GitHub, which then link to external download sites hosted on infrastructure they control.

These campaigns typically begin in Discord chat rooms or Reddit communities dedicated to cheating in specific online games... take the shape of an offer for a "free" cheating tool.

Persistence is then established through a scheduled task named “SystemBackgroundUpdate”, configured to run at user logon with elevated privileges.

The downloaded file is a PowerShell script compiled into a .NET binary using PS2EXE.

Analysis revealed that these executables are PowerShell scripts compiled into .NET binaries using the open-source PS2EXE module.

the script inside the Perfume.mdb file... it becomes clear that the script functions as a dropper for the final payload.

The walkthrough mimics a legitimate software setup, telling victims to disable antivirus, extract a password-protected archive, and run the file with administrator rights.

The injected payload extracts encryption keys directly from browser memory, then communicates the stolen keys back to the main malware process via named pipes to avoid disk artifacts.

Persistence is then established through a scheduled task named “SystemBackgroundUpdate”, configured to run at user logon with elevated privileges.

Persistence is then established through a scheduled task named “SystemBackgroundUpdate”, configured to run at user logon with elevated privileges.

The malware also employs an advanced technique that launches browsers with debugging enabled and injects malicious code directly into running browser processes using either shellcode or reflective DLL injection.

Builder offers polymorphism options with heavy control-flow flattening and numeric state-machine switch constructs, making static detection more difficult.

The downloaded payload (background.exe) is a Themida-packed Vidar stealer 2.0.

Several fake GitHub repositories were identified distributing Vidar stealer 2.0 variant masking as game cheats or hardware ID ban bypass software... software named “TempSpoofer.exe” or “Monotone.exe” or “CFXBypass.exe”.

The malware also employs an advanced technique that launches browsers with debugging enabled and injects malicious code directly into running browser processes using either shellcode or reflective DLL injection.

It adds a Windows Defender exclusion for a specified attacker-controlled directory... create a randomly named directory inside the %AppData% directory, adds it to Defender’s exclusion list

It is executed as a background process and attempts to elevate its privileges using “runas”.

Extensive anti-analysis checks, including debugger detection, timing checks, uptime, and hardware profiling.

Vidar checks CPU and memory information via a couple of APIs to decide the number of threads to be used in the execution.

it verifies the file by checking the MZ header and sets both the directory and file attributes to “hidden” so that it’s not visible to users.

The malware also employs an advanced technique that launches browsers with debugging enabled and injects malicious code directly into running browser processes using either shellcode or reflective DLL injection.

Extensive anti-analysis checks, including debugger detection, timing checks, uptime, and hardware profiling.

The injected payload extracts encryption keys directly from browser memory, then communicates the stolen keys back to the main malware process via named pipes to avoid disk artifacts.

Vidar 2.0 targets a broad range of data, including browser cookies and autofill, cryptocurrency wallet extensions and desktop apps, cloud credentials, Steam accounts, Telegram, and Discord data.

Infostealer malware specializes in stealing data from browsers and other apps, including passwords, credit card information, and cryptocurrency wallet information.

Discord is also a target... uses the same techniques as a browser hijack to extract data... such as login tokens.

Extensive anti-analysis checks, including debugger detection, timing checks, uptime, and hardware profiling.

Vidar checks CPU and memory information via a couple of APIs to decide the number of threads to be used in the execution.

Extensive anti-analysis checks, including debugger detection, timing checks, uptime, and hardware profiling.

Once Vidar 2.0 collects all the data it can access on the infected machine, it captures screenshots, packages everything, and sends it to delivery points that include Telegram bots and URLs stored on Steam profiles.

Once Vidar 2.0 collects all the data it can access on the infected machine, it captures screenshots, packages everything, and sends it to delivery points that include Telegram bots and URLs stored on Steam profiles.

it creates a directory within the %ProgramData% where it will store all the stolen data and exfiltrates them in their command-and-control (C2) servers.

Then it tries to connect to the Telegram servers to perform a ‘GET’ request.

It then contacts a hard-coded Pastebin URL to retrieve the next-stage payload address from GitHub... it connects to Telegram bots and Steam profiles acting as dead drop resolvers.

Vidar is known to abuse Telegram and Steam as dead drop resolver (DDR) to mask their C2 servers.

It then contacts a hard-coded Pastebin URL to retrieve a secondary GitHub-hosted payload URL... downloads a second executable named “background.exe”.

Once Vidar 2.0 collects all the data it can access on the infected machine, it captures screenshots, packages everything, and sends it to delivery points that include Telegram bots and URLs stored on Steam profiles.