EXECUTIVE SUMMARY:
A significant new version of the Vidar Stealer, referred to as Vidar Stealer 2.0, has surfaced, representing a major evolution in the infostealer landscape. Following the decline of other prominent stealer families, this upgraded variant has been completely rewritten in the C programming language, enhancing both its performance and operational reliability. Its release indicates a resurgence in credential-theft activity and points to a new phase.
Vidar Stealer 2.0 introduces a redesigned architecture with improved multithreading that enables simultaneous data‑theft operations; it harvests credentials, browser data, cryptocurrency wallets, and communication‑platform information while dynamically adapting to available hardware resources. The malware uses advanced techniques to bypass browser protections including direct memory injection into browser processes to extract encrypted credentials and includes an automated build generator that produces unique samples per deployment plus control‑flow obfuscation to hinder analysis. Vidar Stealer 2.0 also implements extensive anti‑analysis checks and performs multithreaded collection before automatically exfiltrating harvested data to command‑and‑control servers via HTTP multipart requests or alternative channels.
The emergence of Vidar 2.0 underscores a renewed focus among on efficient and stealthy information-stealing operations. Its enhanced performance, advanced evasion mechanisms, and adaptability position it as a preferred tool for threat actors seeking scalable credential-harvesting capabilities. It should expect increased activity involving this variant and implement robust endpoint protection, credential management practices, and network monitoring measures to detect and mitigate its impact.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Defense Evasion | T1027.014 | Obfuscated Files or Information | Polymorphic Code |
| T1622 | Debugger Evasion | ||
| T1497.001 | Virtualization/Sandbox Evasion | System Checks | |
| T1055.001 | Process Injection | Dynamic-link Library Injection | |
| T1055.002 | Portable Executable Injection | ||
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1555.001 | Keychain | ||
| T1528 | Steal Application Access Token | ||
| Discovery | T1087.001 | Account Discovery | Local Account |
| T1082 | System Information Discovery | - | |
| T1083 | File and Directory Discovery | - | |
| T1518.001 | Software Discovery | Security Software Discovery | |
| Collection | T1005 | Data from Local System | - |
| T1113 | Screen Capture | - | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1102.001 | Web Service | Dead Drop Resolver | |
| T1573.001 | Encrypted Channel | Symmetric Cryptography | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | |
| T1020.001 | Automated Exfiltration | Traffic Duplication |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0009 | Virtual Machine Detection |
| Collection | F0002 | Keylogging |
| E1113 | Screen Capture | |
| E1056 | Input Capture | |
| Credential Access | B0028 | Cryptocurrency |
| Defense Evasion | F0004 | Disable or Evade Security Tools |
| E1055 | Process Injection | |
| Discovery | B0013 | Analysis Tool Discovery |
REFERENCES:
The following reports contain further technical details: