Best Top Reviews Online

Vidar Stealer’s Evolving Tactics: From Phishing Emails to Social Media

The notorious information thief known as Vidar continues to use TikTok, Telegram, Steam, and Mastodon as intermediate command-and-control (C2) servers.

“When a user creates an account on an online platform, a unique account page is generated that can be accessed by anyone,” AhnLab Security Emergency Response Center (ASEC) disclosed in a technical report published at the end of the month. In portions of this page, threat actors have written identifying characters and the C2 address.

In other words, the technique relies on actor-controlled, disposable social media accounts to obtain the C2 address.

If the C2 server is taken down or blocked, the adversary can easily circumvent the restrictions by setting up a new server and editing the account pages to allow the previously distributed malware to communicate with the new server.

Vidar, discovered for the first time in 2018, is an off-the-shelf malware capable of harvesting a wide variety of information from compromised hosts. It typically spreads via delivery mechanisms such as phishing emails and cracked software.

After information collection is complete, the extorted data is compressed into a ZIP file, encoded in Base64, and sent to the C2 server, according to ASEC researchers.

Before exfiltration, the gathered data is now encoded in the most recent variant of the malware (version 56.1), whereas previous variants were known to send the compressed file data in plaintext format.

“Because Vidar employs well-known platforms as the intermediary C2, it has a lengthy lifespan,” researchers explained. “A threat actor’s account that was created six months ago continues to be maintained and updated continuously.”

The development follows recent discoveries that the malware is being distributed via multiple methods, including malicious Google Ads and a malware loader dubbed Bumblebee, the latter of which is attributed to a threat actor identified as Exotic Lily and Projector Libra.

In an analysis published last month, the risk consulting firm Kroll reported discovering an advertisement for the GIMP open-source image editor that, when clicked from a Google search result, redirected the victim to a typosquatting domain hosting the Vidar malware.

In part, the evolution of malware delivery methods in the threat landscape is a reaction to Microsoft’s decision to block macros by default in Office files downloaded from the internet beginning in July 2022.

This has resulted in a rise in the abuse of alternative file formats such as ISO, VHD, SVG, and XLL in email attachments to circumvent Mark of the Web (MotW) protections and avoid anti-malware scanning measures.

“Disk image files can circumvent the MotW feature because when the files within them are extracted or mounted, MotW is not inherited by the files,” ASEC researchers explained, describing a Qakbot campaign that uses a combination of HTML smuggling and VHD files to launch the malware.

Why Trust Us?

Best Top Reviews Online was founded in 2018 to provide our readers with thorough, unbiased, and independent advice on what to buy. We now have millions of monthly users from all over the world and evaluate over 1,000 products per year.

The article above was written by the BestTopReviewsOnline team, which includes many of the US’s most knowledgeable technical experts. Our team includes well-known writers with extensive experience in mobile phones, computing, technology, photography, and other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of