Experience Aryaka's Unified SASE as a Service. Take The Interactive Tour >>
Blog Resources Threat Research Lab Contact Us Customer Login Book a Demo
aryaka aryaka

Vidar Infostealer in Action

From API Hooking to Covert Data Exfiltration

Aryaka Threat Research Labs has analyzed a new variant of Vidar, a long-running infostealer sold under the Malware-as-a-Service (MaaS) model. Since 2018, Vidar has evolved with encrypted C2 channels, LOLBin abuse, and covert exfiltration to stay effective against modern defenses.

Targeting Windows systems, it steals a wide range of assets—including browser credentials, cryptocurrency wallets, 2FA data, messaging tokens, and personal documents—before exfiltrating them to attacker infrastructure for resale or further exploitation.

Key insights include:

  • Enhanced stealth through encrypted command-and-control (C2) channels
  • Abuse of Living-off-the-Land Binaries (LOLBins) for persistence and evasion
  • Targeting Windows environments with extensive data theft capabilities
  • Harvests credentials, cookies, credit cards, wallets, 2FA data, tokens, documents, and screenshots
  • Data is packaged and exfiltrated for resale or further exploitation on underground markets
Vidar Infostealer in Action

Get Your Free Copy

download-pdf