{
	"id": "d44194a6-f64d-4d30-a071-0131ef46cb42",
	"created_at": "2026-04-06T00:06:19.042993Z",
	"updated_at": "2026-04-10T13:13:05.459972Z",
	"deleted_at": null,
	"sha1_hash": "04ece99039a2b7655fe2054ed67ec1b222e8c105",
	"title": "Arkei Variants: From Vidar to Mars Stealer - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5981082,
	"plain_text": "Arkei Variants: From Vidar to Mars Stealer - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 15:56:07 UTC\r\nIntroduction\r\nSometime in 2018, a new information stealer named Vidar appeared.  Analysis revealed Vidar is an information\r\nstealer that is a copycat or fork of Arkei malware.  Since that time, Vidar has led to other Arkei-based variants. \r\nToday's diary reviews Vidar and two additional variants: Oski Stealer and Mars Stealer based on analysis of their\r\ninfection traffic.\r\nShown above:  At least two new Arkei variants seen since Vidar in 2018.\r\nLegitimate files used by Vidar, Oski, \u0026 Mars Stealer\r\nDuring Vidar infections, the initial malware retrieves legitimate DLL files hosted on the same C2 server used for\r\ndata exfiltration.  These files are not malicious, but they are used by the Vidar malware binary.\r\nfreebl3.dll  (DLL for Thunderbird)\r\nmozglue.dll  (DLL for Thunderbird)\r\nmsvcp140.dll  (Microsoft C runtime library)\r\nnss3.dll  (DLL for Thunderbird)\r\nsoftokn3.dll  (DLL for Thunderbird)\r\nvcruntime140.dll  (Microsoft C runtime library)\r\nTo the above list, Oski Stealer and Mars Stealer add another legitimate DLL:\r\nsqlite3.dll  (used for SQLite operations)\r\nDuring Vidar infections, the initial malware binary requests each file from its C2 server.  The image below reveals\r\nseparate HTTP GET request for each of the legitimate DLL files caused by this Vidar sample from September\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 1 of 11\n\n2019.\r\nShown above:  Traffic from a Vidar infection in September 2019 filtered in Wireshark.\r\nLike Vidar, Oski Stealer retrieves each of the legitimate DLL files separately.  But Oski does not use the file\r\nnames in its URLs for the DLLs.  Traffic generated by this Oski Stealer sample from January 2022 is shown\r\nbelow.\r\nShown above:  Traffic caused by an Oski Stealer infection in January 2022 filtered in Wireshark.\r\nMalware advertised in underground forums as Mars Stealer started to appear in 2021.  Current samples of Mars\r\nStealer (like this one) retrieve legitimate DLL files as a single zip archive.  See the next three images for details.\r\nShown above:  Traffic caused by a Mars Stealer infection in March 2022 filtered in Wireshark.\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 2 of 11\n\nShown above:  TCP stream showing zip archive retrieved by the Mars Stealer binary.\r\nIf we retrieve the zip archive from Mars Stealer traffic, we can extract the individual files from that zip archive as\r\nshown below.\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 3 of 11\n\nShown above: Files from zip archive retrieved by Mars Stealer.\r\nData Exfiltration\r\nData exfiltration has evolved from Vidar to Oski Stealer to Mars Stealer.  All three types of malware send a zip\r\narchive containing data stolen from the infected Windows host.  But the patterns have changed.  Below are images\r\nthat illustrate the HTTP POST requests that send stolen data to their C2 servers.  Arrows highlight the zip\r\narchives.\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 4 of 11\n\nShown above:  Data exfiltration from a Vidar infection in September 2019 (part 1 of 2).\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 5 of 11\n\nShown above:  Data exfiltration from a Vidar infection in September 2019 (part 2 of 2).\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 6 of 11\n\nShown above:  Data exfiltration from an Oski Stealer infection in January 2022.\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 7 of 11\n\nShown above:  Data exfiltration from a Mars Stealer infection in March 2022.\r\nThe content of zip archives posted by Vidar, Oski Stealer, and Mars Stealer has also evolved.  See the images\r\nbelow for details.\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 8 of 11\n\nShown above:  Contents of zip archive sent during a Vidar infection in September 2019.\r\nShown above:  Contents of zip archive sent during a Vidar infection in January 2022.\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 9 of 11\n\nShown above:  Contents of zip archive sent during a Vidar infection in March 2022.\r\nIndicators of Compromise (IOCs)\r\nBelow are the three malware samples used for today's diary:\r\nb4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180  (Vidar)\r\nc30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce  (Oski Stealer)\r\n7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625  (Mars Stealer)\r\nBelow are C2 domains used by the above samples:\r\n104.200.67[.]209 port 80 - dersed[.]com - Vidar C2 in September 2019\r\n2.56.57[.]108 port 80 - 2.56.57[.]108 - Oski Stealer C2 in January 2022\r\n5.63.155[.]126 port 80 - sughicent[.]com - Mars Stealer C2 in March 2022\r\nReferences\r\nLet's dig into Vidar - An Arkei Copycat/Forked Stealer (In-depth analysis)\r\nMeet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer\r\nLike Father Like Son? New Mars Stealer\r\nFinal Words\r\nIn recent weeks, Hancitor infections have been pushing Mars Stealer EXE files as follow-up malware.  However,\r\nMars Stealer can be distributed through other methods.  Although it's not as widely-distributed as other malware\r\nlike Qakbot or Emotet, Mars Stealer is a noticeable part of our current threat landscape.\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 10 of 11\n\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/28468\r\nhttps://isc.sans.edu/diary/rss/28468\r\nPage 11 of 11\n\n   https://isc.sans.edu/diary/rss/28468  \nShown above: Contents of zip archive sent during a Vidar infection in September 2019.\nShown above: Contents of zip archive sent during a Vidar infection in January 2022.\n   Page 9 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/28468"
	],
	"report_names": [
		"28468"
	],
	"threat_actors": [],
	"ts_created_at": 1775433979,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/04ece99039a2b7655fe2054ed67ec1b222e8c105.pdf",
		"text": "https://archive.orkl.eu/04ece99039a2b7655fe2054ed67ec1b222e8c105.txt",
		"img": "https://archive.orkl.eu/04ece99039a2b7655fe2054ed67ec1b222e8c105.jpg"
	}
}