Vidar Infostealer Being Spread through Phishing Emails
1. Overview
First identified in 2018, Vidar operates under a Malware-as-a-Service (MaaS) model and continues to be distributed through various attack cases to this day. AhnLab SEcurity intelligence Center (ASEC) has been monitoring cases of Vidar distribution targeting Korea, and this report summarizes the Vidar distribution cases identified in the first half of 2026.
2. Phishing Email
All phishing email attacks distributing Vidar identified in the first half of 2026 are believed to be the work of the same threat actor. Based on the fact that the payload was packed to appear as if it were written in Go, the keywords used in the distribution, and the use of the same C&C server address across multiple instances, it appears that a specific threat actor is continuously distributing Vidar by creating new variants at intervals of a few days.
The threat actor primarily uses the keywords “job application” and “copyright infringement,” and—with the exception of dates included in file names—has been distributing the malware using the same file names for several weeks.
- Job_Application_I_Will_Work_Diligently_June_4,_26.Exe
- 260511 Summary of Copyright Provisions and Infringement Details (Images, Icons, UI, etc).Exe
- Positive_and_Responsible_Applicant_April 21, Year 26 Resume.Exe
- Resume_260219_I_Will_Be_a_Candidate_Who_Approaches_All_Tasks_With_Diligence_and_Consistency.Exe
- January 13, 26 Summary of Copyright Provisions and Infringement Details (Images, Icons, UI, etc.) ..Exe
The following are the phishing emails used in the attack; just like the Attachment file names, the body text is also disguised as a resume.

Figure 1. Body of the malware distribution email used for Vidar
3. Vidar Analysis
3.1. Packer
Vidar has an icon that is disguised as a Word document file and is distributed in the form of a packer written in the Go programming language. When executed, the packer decrypts the actual Vidar contained within it and executes it in memory.

Figure 2. Go-based packer
3.2. Initial Communication
Vidar is continuously updated and is written in C++. Variants currently in circulation are characterized by obfuscated code and data designed to hinder analysis. Additionally, it employs anti-debugging techniques such as NtGlobalFlag checks, anti-VM techniques that monitor CPU, RAM, and disk usage, and anti-sandbox features that check for usernames or computer names.
Vidar uses the Dead Drop Resolver (DDR) technique when communicating with the C&C server. The threat actor posts the C&C server address on their Telegram and Steam profile pages; Vidar then accesses those profile pages to retrieve the actual C&C server address. In an attack case observed in June 2026, Vidar specified C&C server addresses on both Telegram and Steam profile pages as follows: it first accesses the Telegram profile, and if the C&C server address cannot be confirmed there, it retrieves it from the Steam profile page. Note that “ar3k0” is a marker used by Vidar; it recognizes the address between this keyword and the delimiter as the C&C server address.

Figure 3. Telegram and Steam profile pages used in the DDR technique
The marker string “ar3k0,” the Telegram and Steam profile page addresses, the version information “1.9,” And the “build_id” value “7dd16d1018865e5e817c418f87e6be00” are hard-coded into the binary, while “hwid” is generated by combining the volume serial number and hardware information.
3.3. Authentication and Command Download
It then communicates with the C&C server, transmitting “hwid,” “format,” and “build_id” during the initial communication.

Figure 4. Data Transmitted During Initial Communication
The decryption of the received data reveals configuration information in JSON format, as shown below.

Figure 5. Downloaded configuration information
| Item | Function |
|---|---|
| Cookies | Information Theft of web browser cookie information |
| History | Web browser history information theft |
| Cryptocurrency | Cryptocurrency Information Theft |
| Steal_Discord | Discord Information Theft |
| Request | “Id_request” |
| Telegram | Telegram Information Theft |
| Screenshot | Screenshot Theft |
| Steam | Steam Information Theft |
| Delete | Not used |
| Loader | Download and execute additional payloads or commands |
| Grabber_size_max | Maximum file size for exfiltration |
| Azure | Information Theft for Azure |
| Shell_code | Not used |
| Debug | N/A |
| Thread_count | N/A |
| Zip_threshold | N/A |
| Token | Token value to be used in subsequent communications |
Table 1. Configuration Information
3.4. Downloading Additional Configuration Information
Vidar subsequently sends multiple requests to the C&C server and receives additional configuration data for each request based on the “mode” parameter. It downloads information such as the target web browser, wallet file paths, and file paths to be stolen through numbers 1, 2, 3, 4, and 21, and can download additional payloads or commands through number 5. In addition, a specific “mode” number is assigned to each task and is sent upon completion.

Figure 6. Mode 4 request packet
| Mode | Method | Function |
|---|---|---|
| 1 | Download | List of Web Browsers Targeted for Information Theft |
| 2 | Download | List of Chromium-based Web Browser Plugins Targeted for Information Theft |
| 3 | Download | List of cryptocurrency wallet file paths |
| 4 | Download | List of File Paths Targeted for Theft (Grabber) |
| 5 | Download | Additional Payloads or Commands |
| 21 | Download | Information Targets for Information Theft: List of Firefox-based Web Browser Plugins |
| 101 | Upload | Web browser information collection complete |
| 301 | Upload | Cryptocurrency wallet information collection complete |
| 401 | Upload | Grabber collection complete |
| 501 | Upload | Loader task completed |
| 6 | Upload | Finished |
| Lg | Upload | Debug Log |
Table 2. Modes used for downloading additional settings
Depending on the mode, decrypting the received data reveals a list of target file paths or a list of Chromium-based web browser plugins targeted for Information Theft, and the malware collects information based on this. In addition, “lg” is presumed to refer to logs; upon decryption, logs recorded during malware code execution can be identified as shown below.

Figure 7. Additional information on Information Theft conditions downloaded

Figure 8. Debug logs transmitted when the mode is “lg”
3.5. Information Exfiltration
Vidar performs Information Theft based on the configuration flags received during the initial connection and the conditions received through additional requests. Here, we summarize the information to be exfiltrated: first, there is “information.Txt,” which contains information about the infected system; “passwords.Txt,” which contains credentials for FileZilla and WinSCP FTP clients; and “screenshot.Jpg,” a screenshot file.

Figure 9. Transmission of the “information.Txt” file

Figure 10. System information contained in the “information.Txt” test file

Figure 11. Examples of files being transmitted
| Transmitted Files | Information to be Stolen | File Path |
|---|---|---|
| Information.Txt | System Information | |
| Screenshot.Jpg | Screenshot | |
| Passwords.Txt | Credential information for FileZilla and WinSCP FTP clients | |
| <Browser>_<Profile>_passwords.Db | Chromium-based saved logins | “%LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data”, etc. |
| <Browser>_<Profile>_cookies.Db | Cookies | Chromium-based browsers: “%LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies”, etc. Firefox-based browsers: “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\cookies.Sqlite” |
| <Browser>_<Profile>_history.Db | Browsing History | Chromium-based browsers: “%LOCALAPPDATA\Google\Chrome\User Data\Default\History”, etc. Firefox-based browsers: “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\places.Sqlite” |
| <Browser>_<Profile>_webdata.Db | Chromium-based AutoFill/Payment/Web Data | “%LOCALAPPDATA\Google\Chrome\User Data\Default\Web Data,” etc. |
| <Browser>_key.Txt | Chromium-based decryption keys | “Encrypted_key” in “%LOCALAPPDATA\Google\Chrome\User Data\Local State”, etc. |
| <Browser>_<Profile>_logins.Json | Firefox-based login information | “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\logins.Json” |
| <Browser>_<Profile>_key4.Db | Firefox-based Key DB | “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\key4.Db” |
| <Browser>_<Profile>_formhistory.Db | Firefox Family Form History | “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\formhistory.Sqlite” |
| <Browser>_<Profile>_cert9.Db | Firefox Certificate Database | “%APPDATA%\Mozilla\Firefox\Profiles\<PROFILENAME>\cert9.Db” |
| Wallets\<plugin_name>\<Browser>\<Profile>\… | Information on cryptocurrency-related web browser plugins | “%LOCALAPPDATA\Google\Chrome\User Data\Default\Local Extension Settings\<EXTENSION_ID>\*”, “%LOCALAPPDATA\Google\Chrome\User Data\Default\Sync Extension Settings\<EXTENSION_ID>\*”, etc. |
| Soft\Discord\tokens.Txt | Discord token information | “%APPDATA%\Discord\Local State”, “%APPDATA%\Discord\Local Storage\leveldb\*.Ldb/*.Log”, “%APPDATA%\Discordcanary\…” Etc. |
| Soft\Telegram\… | Telegram information | “%APPDATA%\Telegram Desktop\tdata\key_datas”, “%APPDATA%\Telegram Desktop\tdata\settingss”, “Browser Local Storage\leveldb\*.Ldb”, etc. |
| Soft\Steam\… | Steam Information | Ssfn* files in the installation path, “Steam config\config.Vdf”, “config\loginusers.Vdf”, etc. |
| Soft\Azure\… | Azure information | “%USERPROFILE%\.Azure\accessTokens.Json”, “%USERPROFILE%\.Azure\azureProfile.Json”, etc. |
| Files\… | Files that match the Grabber criteria |
Table 3. List of Targets for Information Theft
4. Conclusion
Vidar is being distributed through phishing emails that use keywords such as “job recruitment” and “copyright infringement.” Since it is disguised as a document file, users may download and execute the Attachment thinking it is a legitimate document; when this happens, sensitive information—such as credentials and user files stored on the system—is stolen.
Users should exercise extreme caution not only with email attachments but also with executable files from unknown sources. Also, V3 should be updated to the latest version so that malware infection can be prevented.