Vidar Infostealer Back With a Vengeance

Summary

Researchers at Aryaka have uncovered a fresh Vidar campaign showing that the long‑running Vidar infostealer has evolved with stronger stealth and persistence. First seen in 2018, Vidar remains an infostealer-as-a-service used to harvest credentials, cookies, tokens and financial data. The latest strain adds encrypted C2, Living‑off‑the‑Land binaries (LOLBins), advanced PowerShell staging, AMSI bypass attempts, scheduled‑task persistence and covert exfiltration methods.

Key Points

Vidar is a mature infostealer platform (first tracked 2018) — affiliates use it to capture credentials, cookies, OS details and tokens.
Distribution relies on social engineering: phishing, malicious/compromised websites and malvertising campaigns.
New evasion techniques include TLS‑encrypted C2, custom PowerShell Download‑Reliable() function and exponential backoff with jitter to hide network activity.
Malware abuses LOLBins, attempts to add Windows Defender exceptions and tries to bypass AMSI to reduce detection.
Persistence is implemented via scheduled tasks with hidden windows and execution policy bypasses; it hooks CryptProtectMemory to access browser‑protected passwords before encryption.
Data exfiltration is covert and C2 traffic is encrypted, complicating detection for standard network monitoring.
Recommended defences: layered security — strict PowerShell policies, process monitoring, network anomaly detection, DNS filtering, EDR, secure email/web gateways and timely threat intelligence.

Context and relevance

Vidar’s resurgence matters because it demonstrates how infostealers keep evolving rather than disappearing. The combination of social‑engineering distribution and richer evasion/persistence techniques raises the risk to organisations that rely on legacy detection rules or lack robust process and network telemetry. For security teams, this is another sign that defenders must harden endpoint controls and tighten PowerShell governance, while improving telemetry to spot subtle C2 patterns.

Why should I read this?

Short version: if you look after Windows endpoints, creds or incident response, this one matters. Vidar’s new tricks make it stealthier and tougher to spot — check your PowerShell policies, scheduled‑task monitoring and EDR rules. We skimmed the nerdy bits so you don’t have to; read this to get the practical takeaways fast.