Cybersecurity researchers have raised fresh concerns over the growing threat of the Vidar information stealer, a malware campaign active since 2018 that is now using more advanced techniques to bypass modern security systems and steal sensitive data.
Researchers said Vidar is no longer focused only on password theft. The malware is now targeting browser-stored credentials, session cookies, cryptocurrency wallet files and detailed system information that can later be used for financial fraud or unauthorized access to digital systems.
Originally built using the source code of the earlier Arkei stealer, Vidar has developed into a widely distributed malware family. Recent campaigns reportedly use multi-stage infection chains, making detection much harder for traditional antivirus tools.
According to cybersecurity analysts at LevelBlue, the attack often starts with a fake software activation tool such as “MicrosoftToolkit.exe.” The file appears legitimate and tricks users into manually launching the malware.
Once executed, the malware begins a hidden sequence of scripts and payload extractions. Researchers found that Vidar checks for active security tools, attempts to disable monitoring systems and then launches a loader built using AutoIt scripting methods.
Security experts said the layered attack structure helps the malware avoid detection long enough to steal sensitive information from infected systems.
After full deployment, Vidar searches for saved passwords, browser cookies, authentication data and cryptocurrency wallet files. Analysts warned that stolen session cookies are especially dangerous because they can sometimes bypass login authentication, including multi-factor authentication, if sessions are still active.
Researchers also observed the malware communicating with external infrastructure disguised as normal traffic through platforms such as Telegram and Steam.
Another major concern is Vidar’s ability to erase traces after completing its operation. The malware reportedly deletes files, clears execution records, resets file attributes and shuts down its own processes to make forensic investigation difficult.
Cybersecurity experts recommend isolating infected devices immediately, resetting all credentials, terminating active sessions and fully reimaging affected systems to prevent further compromise.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
