home.social

#vidar — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #vidar, aggregated by home.social.

  1. The Evolution of ClickFix: From Cleartext to Server Side Polymorphism

    The ClickFix campaign has evolved from basic disk-based infections to sophisticated, obfuscated attacks using fake CAPTCHA pages that trick victims into executing malicious PowerShell commands. Initial variants used cleartext commands downloading batch scripts to deploy DeerStealer InfoStealer. The campaign advanced to fileless execution using XOR encryption or Base64 compression, operating entirely in memory. The most dangerous evolution involves server-side polymorphism, where attacker infrastructure dynamically generates unique obfuscated payloads for each victim, delivering Vidar InfoStealer. Active since March 2026 with surging activity through May, the campaign utilizes approximately 4,500 live domains. Both XOR and Base64 variants execute payloads in memory, download executables from attacker infrastructure, and delete traces to evade forensics.

    Pulse ID: 6a0d971608b49dfc89267777
    Pulse Link: otx.alienvault.com/pulse/6a0d9
    Pulse Author: AlienVault
    Created: 2026-05-20 11:12:22

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CAPTCHA #CyberSecurity #Encryption #ICS #InfoSec #InfoStealer #OTX #OpenThreatExchange #PowerShell #RAT #Vidar #bot #AlienVault

  2. Exposing Fox Tempest: A malware-signing service operation

    Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) business used by cybercriminals to distribute malicious code, including ransomware. The actor abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to evade security controls. Fox Tempest created over a thousand certificates and established hundreds of Azure tenants to support operations. Microsoft revoked over one thousand certificates and disrupted the service in May 2026 through the Digital Crimes Unit. The operation enabled ransomware deployment including Rhysida by threat actors like Vanilla Tempest, and distributed malware families including Oyster, Lumma Stealer, and Vidar. The MSaaS was available through signspace[.]cloud, charging between $5000-$9000 USD. Attacks impacted healthcare, education, government, and financial services sectors globally.

    Pulse ID: 6a0ca3690196d40952527b96
    Pulse Link: otx.alienvault.com/pulse/6a0ca
    Pulse Author: AlienVault
    Created: 2026-05-19 17:52:41

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #Education #Government #Healthcare #InfoSec #LummaStealer #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RansomWare #Rhysida #Vidar #bot #AlienVault

  3. Exposing Fox Tempest: A malware-signing service operation

    Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) business used by cybercriminals to distribute malicious code, including ransomware. The actor abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to evade security controls. Fox Tempest created over a thousand certificates and established hundreds of Azure tenants to support operations. Microsoft revoked over one thousand certificates and disrupted the service in May 2026 through the Digital Crimes Unit. The operation enabled ransomware deployment including Rhysida by threat actors like Vanilla Tempest, and distributed malware families including Oyster, Lumma Stealer, and Vidar. The MSaaS was available through signspace[.]cloud, charging between $5000-$9000 USD. Attacks impacted healthcare, education, government, and financial services sectors globally.

    Pulse ID: 6a0ca3690196d40952527b96
    Pulse Link: otx.alienvault.com/pulse/6a0ca
    Pulse Author: AlienVault
    Created: 2026-05-19 17:52:41

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Azure #Cloud #CyberSecurity #Education #Government #Healthcare #InfoSec #LummaStealer #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RansomWare #Rhysida #Vidar #bot #AlienVault

  4. Vidar v1.5 in Go: same family, new language, heavy sandbox checks

    Pulse ID: 6a0bf42ce58cd13d0e923a48
    Pulse Link: otx.alienvault.com/pulse/6a0bf
    Pulse Author: Tr1sa111
    Created: 2026-05-19 05:25:00

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Vidar #bot #Tr1sa111

  5. Vidar v1.5 in Go: same family, new language, heavy sandbox checks

    Vidar is a name most infostealer trackers know well -- an Arkei descendant that has been snatching browser credentials and crypto wallets since 2018. It usually ships as a .NET binary or a C++ PE. The v1.5 sample we pulled from Triage on May 13, 2026 is neither. It is a 7 MB Go 1.25.4 native PE with a twelve-category sandbox scoring system, dead-drop C2 via Telegram and Steam profile pages, and enough crypto primitives to make a librarian blush.

    Pulse ID: 6a0b62751c0e2c5b056102a8
    Pulse Link: otx.alienvault.com/pulse/6a0b6
    Pulse Author: AlienVault
    Created: 2026-05-18 19:03:16

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #CyberSecurity #InfoSec #InfoStealer #NET #OTX #OpenThreatExchange #Steam #Telegram #Vidar #bot #AlienVault

  6. Vidar Infostealer Exploits Browser Cookies to Steal User Credentials

    Pulse ID: 6a09a06adc722e44b1afa4cc
    Pulse Link: otx.alienvault.com/pulse/6a09a
    Pulse Author: cryptocti
    Created: 2026-05-17 11:03:06

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #Cookies #CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #Vidar #bot #cryptocti

  7. New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials

    Pulse ID: 6a0952a57e16da067219eda8
    Pulse Link: otx.alienvault.com/pulse/6a095
    Pulse Author: cryptocti
    Created: 2026-05-17 05:31:17

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #Vidar #bot #cryptocti

  8. Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

    Pulse ID: 6a02ae6f8736a6b944d7d662
    Pulse Link: otx.alienvault.com/pulse/6a02a
    Pulse Author: Tr1sa111
    Created: 2026-05-12 04:37:03

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Autoit #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Vidar #bot #Tr1sa111

  9. Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

    A sophisticated multi-stage infection chain was identified through proactive threat hunting, beginning with the execution of MicrosoftToolkit.exe, a commonly abused hack tool. The attack employed file masquerading techniques, renaming a .dot file to .bat format to evade detection. The malware performed process discovery and attempted to terminate security-related processes before extracting payloads using extract32.exe. An AutoIt-compiled executable (Replies.scr) functioned as a loader, processing an external encrypted payload file and establishing command-and-control communication with infrastructure associated with Vidar Stealer. The malware demonstrated advanced anti-analysis capabilities, including debugger detection and instrumentation callback queries. It targeted credentials, browser data, cryptocurrency wallets, and system information. Post-execution cleanup routines deleted artifacts and terminated processes to minimize forensic evidence and evade detection, significantly complicating incident res...

    Pulse ID: 6a01c2382e61b490cfa457e4
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: AlienVault
    Created: 2026-05-11 11:49:12

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Autoit #Browser #CyberSecurity #InfoSec #Malware #Microsoft #Nim #OTX #OpenThreatExchange #RAT #Vidar #bot #cryptocurrency #AlienVault

  10. Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

    Pulse ID: 6a01c03c55b2d8cb451efc11
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: CyberHunter_NL
    Created: 2026-05-11 11:40:44

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Autoit #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Vidar #bot #CyberHunter_NL

  11. 'ClickFix' attack tricks users into hacking themselves, ACSC warns:

    "Verify that you are human" prompt used to deliver Vidar Stealer malware.

    The Australian Cyber Security Centre (ACSC) has stepped in to warn users of an active attack campaign targeting Windows users with Vidar Stealer malware, which is delivered through the so-called ClickFix social engineering technique.

    🤷 itnews.com.au/news/clickfix-at

    #clickfix #acsc #malware #vidar #stealing #VidarStealer #australia #socialengineering

  12. 'ClickFix' attack tricks users into hacking themselves, ACSC warns:

    "Verify that you are human" prompt used to deliver Vidar Stealer malware.

    The Australian Cyber Security Centre (ACSC) has stepped in to warn users of an active attack campaign targeting Windows users with Vidar Stealer malware, which is delivered through the so-called ClickFix social engineering technique.

    🤷 itnews.com.au/news/clickfix-at

    #clickfix #acsc #malware #vidar #stealing #VidarStealer #australia #socialengineering

  13. 'ClickFix' attack tricks users into hacking themselves, ACSC warns:

    "Verify that you are human" prompt used to deliver Vidar Stealer malware.

    The Australian Cyber Security Centre (ACSC) has stepped in to warn users of an active attack campaign targeting Windows users with Vidar Stealer malware, which is delivered through the so-called ClickFix social engineering technique.

    🤷 itnews.com.au/news/clickfix-at

    #clickfix #acsc #malware #vidar #stealing #VidarStealer #australia #socialengineering

  14. 'ClickFix' attack tricks users into hacking themselves, ACSC warns:

    "Verify that you are human" prompt used to deliver Vidar Stealer malware.

    The Australian Cyber Security Centre (ACSC) has stepped in to warn users of an active attack campaign targeting Windows users with Vidar Stealer malware, which is delivered through the so-called ClickFix social engineering technique.

    🤷 itnews.com.au/news/clickfix-at

    #clickfix #acsc #malware #vidar #stealing #VidarStealer #australia #socialengineering

  15. 'ClickFix' attack tricks users into hacking themselves, ACSC warns:

    "Verify that you are human" prompt used to deliver Vidar Stealer malware.

    The Australian Cyber Security Centre (ACSC) has stepped in to warn users of an active attack campaign targeting Windows users with Vidar Stealer malware, which is delivered through the so-called ClickFix social engineering technique.

    🤷 itnews.com.au/news/clickfix-at

    #clickfix #acsc #malware #vidar #stealing #VidarStealer #australia #socialengineering

  16. 📢⚠️ New version of Vidar infostealer spreads via fake CAPTCHA, hides in JPEG and TXT files, uses fileless attacks, and steals browser and crypto wallet data.

    Read: hackread.com/vidar-infostealer

    #Vidar #Infostealer #Malware #Crypto #ClickFix

  17. 📢⚠️ New version of Vidar infostealer spreads via fake CAPTCHA, hides in JPEG and TXT files, uses fileless attacks, and steals browser and crypto wallet data.

    Read: hackread.com/vidar-infostealer

  18. 📢⚠️ New version of Vidar infostealer spreads via fake CAPTCHA, hides in JPEG and TXT files, uses fileless attacks, and steals browser and crypto wallet data.

    Read: hackread.com/vidar-infostealer

    #Vidar #Infostealer #Malware #Crypto #ClickFix

  19. 📢⚠️ New version of Vidar infostealer spreads via fake CAPTCHA, hides in JPEG and TXT files, uses fileless attacks, and steals browser and crypto wallet data.

    Read: hackread.com/vidar-infostealer

    #Vidar #Infostealer #Malware #Crypto #ClickFix

  20. 📢⚠️ New version of Vidar infostealer spreads via fake CAPTCHA, hides in JPEG and TXT files, uses fileless attacks, and steals browser and crypto wallet data.

    Read: hackread.com/vidar-infostealer

    #Vidar #Infostealer #Malware #Crypto #ClickFix

  21. Vidar Malware Conceals Payloads in JPEG, TXT Files to Evade Detection

    Vidar has evolved from a basic Arkei-based credential stealer into a multi-stage, stealth-focused infostealer that now hides second‑stage payloads within JPEG and TXT files to evade modern defenses.

    🔓 gbhackers.com/vidar-malware-co

    #malewalker #jpeg #txt #file #vidar #it #secondstagemalware #defense #itsec

  22. Vidar Malware Conceals Payloads in JPEG, TXT Files to Evade Detection

    Vidar has evolved from a basic Arkei-based credential stealer into a multi-stage, stealth-focused infostealer that now hides second‑stage payloads within JPEG and TXT files to evade modern defenses.

    🔓 gbhackers.com/vidar-malware-co

    #malewalker #jpeg #txt #file #vidar #it #secondstagemalware #defense #itsec

  23. Vidar Malware Conceals Payloads in JPEG, TXT Files to Evade Detection

    Vidar has evolved from a basic Arkei-based credential stealer into a multi-stage, stealth-focused infostealer that now hides second‑stage payloads within JPEG and TXT files to evade modern defenses.

    🔓 gbhackers.com/vidar-malware-co

    #malewalker #jpeg #txt #file #vidar #it #secondstagemalware #defense #itsec

  24. Vidar Malware Conceals Payloads in JPEG, TXT Files to Evade Detection

    Vidar has evolved from a basic Arkei-based credential stealer into a multi-stage, stealth-focused infostealer that now hides second‑stage payloads within JPEG and TXT files to evade modern defenses.

    🔓 gbhackers.com/vidar-malware-co

    #malewalker #jpeg #txt #file #vidar #it #secondstagemalware #defense #itsec

  25. Vidar Malware Conceals Payloads in JPEG, TXT Files to Evade Detection

    Vidar has evolved from a basic Arkei-based credential stealer into a multi-stage, stealth-focused infostealer that now hides second‑stage payloads within JPEG and TXT files to evade modern defenses.

    🔓 gbhackers.com/vidar-malware-co

    #malewalker #jpeg #txt #file #vidar #it #secondstagemalware #defense #itsec

  26. It has been a super busy week, and I totally forgot to post photo of the #Vidar after it was finished.
    Unfortunately the box for it was crushed a while ago so just a plain background for this one. This is another, like the Leo, I started a long time ago so some gate marks are more visible than others.

    Currently, I’m working on a HG Wing Zero which should be the next one I post. #gunpla @Gundam #ironbloodedorphans

  27. The upgraded version of #Vidar infostealer is being spread via Reddit and GitHub, hidden in fake game cheats for popular titles like Fortnite and Counter-Strike, targeting young gamers.

    Read: hackread.com/vidar-2-0-infoste

    #CyberSecurity #Gaming #Infostealer #Fortnite #CounterStrike

  28. #OysterLoader (aka #Broomstick or #Cleanup) is not just another downloader. Often serving as a precursor to #Rhysida #ransomware campaigns or distributing commodity malware such as #Vidar, this threat has evolved significantly as we enter 2026.

    blog.sekoia.io/oysterloader-un

    #Reverse

  29. #OysterLoader (aka #Broomstick or #Cleanup) is not just another downloader. Often serving as a precursor to #Rhysida #ransomware campaigns or distributing commodity malware such as #Vidar, this threat has evolved significantly as we enter 2026.

    blog.sekoia.io/oysterloader-un

    #Reverse

  30. #OysterLoader (aka #Broomstick or #Cleanup) is not just another downloader. Often serving as a precursor to #Rhysida #ransomware campaigns or distributing commodity malware such as #Vidar, this threat has evolved significantly as we enter 2026.

    blog.sekoia.io/oysterloader-un

    #Reverse

  31. #OysterLoader (aka #Broomstick or #Cleanup) is not just another downloader. Often serving as a precursor to #Rhysida #ransomware campaigns or distributing commodity malware such as #Vidar, this threat has evolved significantly as we enter 2026.

    blog.sekoia.io/oysterloader-un

    #Reverse

  32. When you finally reverse the loader for that malware sample #VirusTotal flagged as "APT XYZ". and it turns out to be just a #Vidar #Stealer dropper.
    4 Stages including Steganography for nothing 😕

  33. Miała być Chemia, a wyszedł wirus. Kolejna infekcja na Steam

    Chemia, gra survivalowo-craftingowa stworzona przez studio Aether Forge Studios do niedawna dostępna jako early access na Steamie, została zainfekowana infostealerem. Według firmy zajmującej się analizą zagrożeń Prodaft, początkowy incydent miał miejsce 22 lipca, kiedy to grupa hackerska EncryptHub dodała do plików gry złośliwe oprogramowanie HijackLoader (plik CVKRUTNP.exe), które zapewnia przetrwanie infekcji...

    #WBiegu #Chemia #Malware #Steam #Valve #Vidar

    sekurak.pl/miala-byc-chemia-a-

  34. Now this looks really cool! Here is an app that encrypts SMS messages with AES256.

    github.com/DrSolidDevil/Vidar

    #vidar

  35. «Dabei versprechen die Täter, gecrackte Software anzubieten[...].»
    — Alles Anfänger, der darauf hereinfällt :mastolol: Kennt ihr noch astalavista.box.sk :mastocheeky: (Gibt es die Seite eigentlich noch?🤔)

    IT-Sicherheitsforscher entdecken #Tiktok-Kampagne zur #Malware-Installation | Security heise.de/news/Social-Engineeri #SocialMedia #SocialEngineering #Infostealer #StealC #Vidar

  36. In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

    We identified thousands of sites compromised with ClearFake distributing these malware.

  37. In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

    We identified thousands of sites compromised with ClearFake distributing these malware.

  38. In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

    We identified thousands of sites compromised with ClearFake distributing these malware.

  39. In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

    We identified thousands of sites compromised with ClearFake distributing these malware.

  40. In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

    We identified thousands of sites compromised with ClearFake distributing these malware.