{
	"id": "b8741c71-16e0-4d00-ab99-c55f533e517a",
	"created_at": "2026-04-06T00:08:53.407202Z",
	"updated_at": "2026-04-10T13:12:20.602017Z",
	"deleted_at": null,
	"sha1_hash": "057733e3ec4b58a5a3b969b04137013808dcb773",
	"title": "GandCrab Operators Use Vidar Infostealer as a Forerunner",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2216394,
	"plain_text": "GandCrab Operators Use Vidar Infostealer as a Forerunner\r\nBy Ionut Ilascu\r\nPublished: 2019-01-07 · Archived: 2026-04-05 14:18:23 UTC\r\nCybercriminals behind GandCrab have added the infostealer Vidar in the process for distributing the ransomware piece,\r\nwhich helps increase their profits by pilfering sensitive information before encrypting the computer files.\r\nFollowing the trails of a malvertising campaign targeting users of torrent trackers and video streaming websites, malware\r\nresearchers found that Fallout Exploit Kit was used to spread a relatively new infostealer called Vidar, which doubled as a\r\ndownloader for GandCrab.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nUsing a rogue advertising domain, the threat actor triaged by geolocation the visitors of the compromised websites and\r\nredirected them to an exploit kit (EK).\r\nFallout was the most active, says Jérôme Segura of Malwarebytes, adding that it pushed Vidar - a commercial threat\r\navailable for $700 specifically built for stealing passwords and forms from web browsers.\r\nIt can be configured to grab specific information, like payment card numbers or credentials stored in various applications.\r\nThe variant examined by Malwarebytes included scraping capabilities for details from \"an impressive selection of digital\r\nwallets.\"\r\nOnce it starts running, Vidar searches for data specified in its configuration along and delivers it to the command and control\r\n(C2) server as a ZIP archive, notes Segura.\r\nIts interface makes it easy for the operator to keep track of the victims, deliver instructions to the malware and check the\r\ntype of data collected from each infected host.\r\nDownloading GandCrab ransomware\r\nVidar can work as a malware dropper and in the case observed by Malwarebytes the second payload was GandCrab\r\nransomware.\r\n\"Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper hijacked to\r\ndisplay the note for GandCrab version 5.04.\"\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/\r\nPage 3 of 5\n\n5.04 is the latest revision of the ransomware and at the moment there is no possibility to decrypt the files it touches without\r\npaying the ransom or getting the decryption key from the threat actor.\r\nUsers affected by earlier versions of the ransomware can recover their files with a free GandCrab decryption tool that works\r\nwith v1, v4, and v5 up to v5.02 of the malware.\r\nRunning an infostealer before deploying the ransomware ensures some money for the adversary even if the victim does not\r\npay the ransom. Even if the cybercriminals do not use the stolen data themselves, they can sell it on underground forums.\r\nUsers with computer files locked by GandCrab should now also consider changing the username/password combinations at\r\nleast for the critical services and applicatons they're using.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/"
	],
	"report_names": [
		"gandcrab-operators-use-vidar-infostealer-as-a-forerunner"
	],
	"threat_actors": [],
	"ts_created_at": 1775434133,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/057733e3ec4b58a5a3b969b04137013808dcb773.pdf",
		"text": "https://archive.orkl.eu/057733e3ec4b58a5a3b969b04137013808dcb773.txt",
		"img": "https://archive.orkl.eu/057733e3ec4b58a5a3b969b04137013808dcb773.jpg"
	}
}