Vidar Infostealer Being Spread through Phishing Emails

Vidar Infostealer Being Spread through Phishing Emails

1. Overview

First identified in 2018, Vidar operates under a Malware-as-a-Service (MaaS) model and continues to be distributed through various attack cases to this day. AhnLab SEcurity intelligence Center (ASEC) has been monitoring cases of Vidar distribution targeting Korea, and this report summarizes the Vidar distribution cases identified in the first half of 2026. 

 

2. Phishing Email

All phishing email attacks distributing Vidar identified in the first half of 2026 are believed to be the work of the same threat actor. Based on the fact that the payload was packed to appear as if it were written in Go, the keywords used in the distribution, and the use of the same C&C server address across multiple instances, it appears that a specific threat actor is continuously distributing Vidar by creating new variants at intervals of a few days.

 

The threat actor primarily uses the keywords “job application” and “copyright infringement,” and—with the exception of dates included in file names—has been distributing the malware using the same file names for several weeks. 

 

  • Job_Application_I_Will_Work_Diligently_June_4,_26.Exe
  • 260511 Summary of Copyright Provisions and Infringement Details (Images, Icons, UI, etc).Exe
  • Positive_and_Responsible_Applicant_April 21, Year 26 Resume.Exe
  • Resume_260219_I_Will_Be_a_Candidate_Who_Approaches_All_Tasks_With_Diligence_and_Consistency.Exe
  • January 13, 26 Summary of Copyright Provisions and Infringement Details (Images, Icons, UI, etc.) ..Exe

 

The following are the phishing emails used in the attack; just like the Attachment file names, the body text is also disguised as a resume.

 

Figure 1. Body of the malware distribution email used for Vidar

 

3. Vidar Analysis

3.1. Packer

Vidar has an icon that is disguised as a Word document file and is distributed in the form of a packer written in the Go programming language. When executed, the packer decrypts the actual Vidar contained within it and executes it in memory.

 

Figure 2. Go-based packer

 

3.2. Initial Communication

Vidar is continuously updated and is written in C++. Variants currently in circulation are characterized by obfuscated code and data designed to hinder analysis. Additionally, it employs anti-debugging techniques such as NtGlobalFlag checks, anti-VM techniques that monitor CPU, RAM, and disk usage, and anti-sandbox features that check for usernames or computer names.

 

Vidar uses the Dead Drop Resolver (DDR) technique when communicating with the C&C server. The threat actor posts the C&C server address on their Telegram and Steam profile pages; Vidar then accesses those profile pages to retrieve the actual C&C server address. In an attack case observed in June 2026, Vidar specified C&C server addresses on both Telegram and Steam profile pages as follows: it first accesses the Telegram profile, and if the C&C server address cannot be confirmed there, it retrieves it from the Steam profile page. Note that “ar3k0” is a marker used by Vidar; it recognizes the address between this keyword and the delimiter as the C&C server address.

 

Figure 3. Telegram and Steam profile pages used in the DDR technique

 

The marker string “ar3k0,” the Telegram and Steam profile page addresses, the version information “1.9,” And the “build_id” value “7dd16d1018865e5e817c418f87e6be00” are hard-coded into the binary, while “hwid” is generated by combining the volume serial number and hardware information.

 

3.3. Authentication and Command Download

It then communicates with the C&C server, transmitting “hwid,” “format,” and “build_id” during the initial communication.

 

Figure 4. Data Transmitted During Initial Communication

 

The decryption of the received data reveals configuration information in JSON format, as shown below.

 

Figure 5. Downloaded configuration information

 

Item Function
Cookies Information Theft of web browser cookie information
History Web browser history information theft
Cryptocurrency Cryptocurrency Information Theft
Steal_Discord Discord Information Theft
Request “Id_request”
Telegram Telegram Information Theft
Screenshot Screenshot Theft
Steam Steam Information Theft
Delete Not used
Loader Download and execute additional payloads or commands
Grabber_size_max Maximum file size for exfiltration
Azure Information Theft for Azure
Shell_code Not used
Debug N/A
Thread_count N/A
Zip_threshold N/A
Token Token value to be used in subsequent communications

Table 1. Configuration Information

 

3.4. Downloading Additional Configuration Information

Vidar subsequently sends multiple requests to the C&C server and receives additional configuration data for each request based on the “mode” parameter. It downloads information such as the target web browser, wallet file paths, and file paths to be stolen through numbers 1, 2, 3, 4, and 21, and can download additional payloads or commands through number 5. In addition, a specific “mode” number is assigned to each task and is sent upon completion.

 

Figure 6. Mode 4 request packet

 

Mode Method Function
1 Download List of Web Browsers Targeted for Information Theft
2 Download List of Chromium-based Web Browser Plugins Targeted for Information Theft
3 Download List of cryptocurrency wallet file paths
4 Download List of File Paths Targeted for Theft (Grabber)
5 Download Additional Payloads or Commands
21 Download Information Targets for Information Theft: List of Firefox-based Web Browser Plugins
101 Upload Web browser information collection complete
301 Upload Cryptocurrency wallet information collection complete
401 Upload Grabber collection complete
501 Upload Loader task completed
6 Upload Finished
Lg Upload Debug Log

Table 2. Modes used for downloading additional settings

 

Depending on the mode, decrypting the received data reveals a list of target file paths or a list of Chromium-based web browser plugins targeted for Information Theft, and the malware collects information based on this. In addition, “lg” is presumed to refer to logs; upon decryption, logs recorded during malware code execution can be identified as shown below.

 

Figure 7. Additional information on Information Theft conditions downloaded

 

Figure 8. Debug logs transmitted when the mode is “lg”

 

3.5. Information Exfiltration

Vidar performs Information Theft based on the configuration flags received during the initial connection and the conditions received through additional requests. Here, we summarize the information to be exfiltrated: first, there is “information.Txt,” which contains information about the infected system; “passwords.Txt,” which contains credentials for FileZilla and WinSCP FTP clients; and “screenshot.Jpg,” a screenshot file.

 

Figure 9. Transmission of the “information.Txt” file

 

Figure 10. System information contained in the “information.Txt” test file

 

Figure 11. Examples of files being transmitted

 

Transmitted Files Information to be Stolen File Path
Information.Txt System Information  
Screenshot.Jpg Screenshot  
Passwords.Txt Credential information for FileZilla and WinSCP FTP clients  
<Browser>_<Profile>_passwords.Db Chromium-based saved logins “%LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data”, etc.
<Browser>_<Profile>_cookies.Db Cookies Chromium-based browsers: “%LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies”, etc.
Firefox-based browsers: “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\cookies.Sqlite”
<Browser>_<Profile>_history.Db Browsing History Chromium-based browsers: “%LOCALAPPDATA\Google\Chrome\User Data\Default\History”, etc.
Firefox-based browsers: “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\places.Sqlite”
<Browser>_<Profile>_webdata.Db Chromium-based AutoFill/Payment/Web Data “%LOCALAPPDATA\Google\Chrome\User Data\Default\Web Data,” etc.
<Browser>_key.Txt Chromium-based decryption keys “Encrypted_key” in “%LOCALAPPDATA\Google\Chrome\User Data\Local State”, etc.
<Browser>_<Profile>_logins.Json Firefox-based login information “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\logins.Json”
<Browser>_<Profile>_key4.Db Firefox-based Key DB “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\key4.Db”
<Browser>_<Profile>_formhistory.Db Firefox Family Form History “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\formhistory.Sqlite”
<Browser>_<Profile>_cert9.Db Firefox Certificate Database “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\cert9.Db”
Wallets\<plugin_name>\<Browser>\<Profile>\… Information on cryptocurrency-related web browser plugins “%LOCALAPPDATA\Google\Chrome\User Data\Default\Local Extension Settings\<EXTENSION_ID>\*”, “%LOCALAPPDATA\Google\Chrome\User Data\Default\Sync Extension Settings\<EXTENSION_ID>\*”, etc.
Soft\Discord\tokens.Txt Discord token information “%APPDATA%\Discord\Local State”, “%APPDATA%\Discord\Local Storage\leveldb\*.Ldb/*.Log”, “%APPDATA%\Discordcanary\…” Etc.
Soft\Telegram\… Telegram information “%APPDATA%\Telegram Desktop\tdata\key_datas”, “%APPDATA%\Telegram Desktop\tdata\settingss”, “Browser Local Storage\leveldb\*.Ldb”, etc.
Soft\Steam\… Steam Information Ssfn* files in the installation path, “Steam config\config.Vdf”, “config\loginusers.Vdf”, etc.
Soft\Azure\… Azure information “%USERPROFILE%\.Azure\accessTokens.Json”, “%USERPROFILE%\.Azure\azureProfile.Json”, etc.
Files\… Files that match the Grabber criteria  

Table 3. List of Targets for Information Theft

 

4. Conclusion

Vidar is being distributed through phishing emails that use keywords such as “job recruitment” and “copyright infringement.” Since it is disguised as a document file, users may download and execute the Attachment thinking it is a legitimate document; when this happens, sensitive information—such as credentials and user files stored on the system—is stolen. 

 

Users should exercise extreme caution not only with email attachments but also with executable files from unknown sources. Also, V3 should be updated to the latest version so that malware infection can be prevented.

 

MD5

0b8af4afd26175ba818c0fdb4622bf14
1bbf1e83eea55e70d59f0d633789011e
2fba9ec34fdf4b1584dd9c69b9ec9393
4e885b1a0c1d0636e940b4af20fdc8db
536dd0b0f6dff75dc01869df9809df61
URL

http[:]//107[.]189[.]24[.]190/
https[:]//steamcommunity[.]com/profiles/76561198694626397
https[:]//steamcommunity[.]com/profiles/76561198698223785
https[:]//steamcommunity[.]com/profiles/76561198703616215
https[:]//steamcommunity[.]com/profiles/76561198706525776
FQDN

ctl[.]it-bd[.]com
frr[.]ambil-disini[.]web[.]id
gor[.]emiraride[.]com
gre[.]syslicense[.]net
lat[.]sodstreams[.]com
IP

107[.]189[.]24[.]190

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.