Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 2 CVEs

Vidar v2

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsExploited in the wild

The malware arrives through a booby-trapped archive named Besomar_documentation.rar, which exploits two archive-handling vulnerabilities, CVE-2025-8088 and CVE-2025-6218.

via cyber security newscybersecuritynews.com
CVE-2025-6218Directory Traversal RCE in RARLAB WinRARExploited in the wild

The malware arrives through a booby-trapped archive named Besomar_documentation.rar, which exploits two archive-handling vulnerabilities, CVE-2025-8088 and CVE-2025-6218.

via cyber security newscybersecuritynews.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
GhostShell

Alongside this, there’s a third file titled 22.exe. This is the file that drops a well-known data-stealing program called Vidar v2. The malware now starts collecting saved internet passwords, history, and cryptocurrency wallet information from the infected machine.

via hackreadhackread.com
MB-0009

Alongside this, there’s a third file titled 22.exe. This is the file that drops a well-known data-stealing program called Vidar v2. The malware now starts collecting saved internet passwords, history, and cryptocurrency wallet information from the infected machine.

via hackreadhackread.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

3 techniques
T1539Steal Web Session CookieEvidence1

This is the file that drops a well-known data-stealing program called Vidar v2. The malware now starts collecting saved internet passwords, history

T1555Credentials from Password StoresEvidence1

Vidar can harvest browser passwords, cookies, cryptocurrency wallet data, messaging app files, and screenshots

T1649Steal or Forge Authentication CertificatesEvidence1

The malware now starts collecting saved internet passwords

Collection

3 techniques
T1113Screen CaptureEvidence1

Vidar can harvest browser passwords, cookies, cryptocurrency wallet data, messaging app files, and screenshots

T1213.001ConfluenceEvidence1

The malware now starts collecting saved internet passwords, history, and cryptocurrency wallet information from the infected machine.

T1560Archive Collected DataEvidence1

Vidar can harvest browser passwords, cookies, cryptocurrency wallet data, messaging app files, and screenshots, sending everything out through the encrypted tunnel

Command and Control

1 technique
T1090ProxyEvidence1

The third component, 22.exe, is a Go-based launcher that wraps a full tunneling client inside itself. It sets up an encrypted proxy connection and delivers Vidar v2

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

The third component... sets up an encrypted proxy connection... sending everything out through the encrypted tunnel in a way that is difficult to detect on the network.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in apptoday
hash.sha256●●●●●●●●●●●●View more in apptoday
ip.v4●●●●●●●●●●●●View more in apptoday
uri●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.