{ "id": "18d3a9a5-e3d0-4c39-81e7-0802869fa555", "created_at": "2026-04-06T00:21:23.036565Z", "updated_at": "2026-04-10T13:11:20.301287Z", "deleted_at": null, "sha1_hash": "404fe307c9d6caf599c8cd2d68f072c5923f7939", "title": "Microsoft help files repurposed to contain Vidar malware in new campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 33736, "plain_text": "Microsoft help files repurposed to contain Vidar malware in new\r\ncampaign\r\nBy Jon Gold\r\nPublished: 2022-03-24 · Archived: 2026-04-05 21:30:42 UTC\r\nA new email campaign designed to spread the Vidar spyware package uses a novel technique involving Microsoft\r\nCompiled HTML help files, according to a blog post released today by Trustwave.\r\nThe help files, which use the suffix “CHM,” are packaged in an ISO along with the Vidar payload in what appears\r\nto be a Word document. If the attacker successfully hoodwinks the target into extracting the phony document,\r\nexecuting either file triggers the malicious package and compromises the system, Trustwave researcher Diana\r\nLopera wrote in the post.\r\nThe CHM file used in the attack is mostly a copy of a legitimate CHM, but has appended HTML application code\r\n– that extra code silently runs the malicious executable in the background when the CHM file is run.\r\nThe particular flavor of Vidar used in the attack, Lopera noted, is version 50.3, and receives its command-and-control (C\u0026C) instructions from accounts on open-source social networking platform Mastodon. Once up and\r\nrunning, the malware downloads configuration information from C\u0026C servers identified by the Mastodon page\r\nand starts its work – first collecting system information and password data from browsers and other applications,\r\nsending that information as a ZIP file back to the C\u0026C server, and then deleting itself, potentially after pulling\r\nadditional malware onto the infected machine.\r\n“Appending a malicious file to an unsuspecting file format is one of the tricks our adversaries use to evade\r\ndetection,” wrote Lopera.\r\nWhat is Vidar?\r\nVidar was first observed in the wild in late 2018, according to a report from cloud security vendor Infoblox, which\r\nnoted that it’s a variant of the earlier Arkei infostealer. It’s sold commercially in online forums, and has the ability\r\nto steal a wide variety of user information and valuable data from infected computers, including credit card\r\nnumbers, usernames and passwords, desktop screenshots, and cryptocurrency wallets. It can even bypass some\r\ntypes of two-factor authentication, particularly targeting the Authy 2FA stack.\r\nAs ever, strong email security practices can mitigate or eliminate the risks posed by Vidar – extreme caution\r\nshould be used when opening email attachments from unfamiliar senders with generic subject lines, and\r\nverification either over the phone or in person should be the first move if there is any doubt about such a\r\nmessage’s legitimacy.\r\nSource: https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html\r\nhttps://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html" ], "report_names": [ "microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html" ], "threat_actors": [], "ts_created_at": 1775434883, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/404fe307c9d6caf599c8cd2d68f072c5923f7939.pdf", "text": "https://archive.orkl.eu/404fe307c9d6caf599c8cd2d68f072c5923f7939.txt", "img": "https://archive.orkl.eu/404fe307c9d6caf599c8cd2d68f072c5923f7939.jpg" } }