EXECUTIVE SUMMARY:
A multi-stage malware campaign was identified leveraging AutoIt-based loaders to deploy the Vidar stealer through a staged execution chain designed to evade detection and maintain persistence. The infection begins with the execution of a commonly abused software activation tool, which initiates a sequence of command-line operations, disguised script execution, and payload extraction activities. The attack relies heavily on file masquerading, script-based execution, and legitimate Windows utilities to reconstruct and launch malicious components while avoiding traditional security controls. The final payload establishes command-and-control (C2) communication with attacker-controlled infrastructure to facilitate credential theft, browser data collection, cryptocurrency wallet harvesting, and system reconnaissance.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A multi-stage malware campaign was identified leveraging AutoIt-based loaders to deploy the Vidar stealer through a staged execution chain designed to evade detection and maintain persistence. The infection begins with the execution of a commonly abused software activation tool, which initiates a sequence of command-line operations, disguised script execution, and payload extraction activities. The attack relies heavily on file masquerading, script-based execution, and legitimate Windows utilities to reconstruct and launch malicious components while avoiding traditional security controls. The final payload establishes command-and-control (C2) communication with attacker-controlled infrastructure to facilitate credential theft, browser data collection, cryptocurrency wallet harvesting, and system reconnaissance.[emaillocker id="1283"]
It revealed that the threat actors used renamed document-based files, batch scripts, and AutoIt-compiled executables to establish a staged loader architecture. The malicious chain included environment reconnaissance, process enumeration, payload extraction, and synchronization delays before initiating outbound command-and-control communication. The AutoIt loader dynamically reconstructed encrypted payloads in memory and connected to attacker-controlled infrastructure through HTTP requests disguised as legitimate traffic. The malware also incorporated multiple anti-analysis and defense evasion techniques, including debugger detection, process termination attempts, encrypted communications, and the use of trusted web platforms for retrieving configuration or staging data. Additional cleanup routines deleted dropped artifacts and terminated related processes to reduce forensic visibility and hinder incident response investigations.
It highlights how modern malware operators continue to combine legitimate administrative tools, scripting engines, and layered execution methods to bypass traditional security controls and reduce forensic visibility. The use of AutoIt loaders, staged payload execution, and extensive cleanup operations increases the difficulty of detection and incident response while enabling rapid credential theft and data exfiltration. Organizations should prioritize behavioral monitoring, restrict unauthorized scripting activity, strengthen endpoint defenses, and closely monitor outbound network communications to identify similar multi-stage infostealer campaigns before sensitive information is compromised.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | |
| Stealth | T1036.003 | Masquerading | Rename Legitimate Utilities |
| T1218.011 | System Binary Proxy Execution | Rundll32 | |
| T1070.004 | Indicator Removal | File Deletion | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1573.001 | Encrypted Channel | Symmetric Cryptography | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1113 | Screen Capture |
| E1056 | Input Capture | |
| F0002 | Keylogging | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0004 | Disable or Evade Security Tools |
| F0007 | Self Deletion | |
| Discovery | B0013 | Analysis Tool Discovery |
| Execution | B0011 | Remote Commands |
| B0025 | Conditional Execution |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/vidar-malware-targets-browser-credentials-cookies/
[/emaillocker]