{
	"id": "19ead2c4-6e14-4ca8-8eae-23e9a26d8f58",
	"created_at": "2026-04-06T00:13:20.935947Z",
	"updated_at": "2026-04-10T03:21:56.265234Z",
	"deleted_at": null,
	"sha1_hash": "46d7462428faaa803caf48aaddc5f94fe207f511",
	"title": "Darth Vidar: The Aesir Strike Back",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1124665,
	"plain_text": "Darth Vidar: The Aesir Strike Back\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 17:25:27 UTC\r\nAt the beginning of this year, we released a detailed publication on Vidar infrastructure, encompassing both the\r\nprimary administrative aspects, and the underlying backend. In that publication, we highlighted three key insights:\r\n1. Russian VPN gateways had the potential to confer anonymity to Vidar operators and customers, thereby\r\nrendering it more arduous for analysts to attain a comprehensive understanding of the threat. These\r\ngateways were observed to be transitioning towards Tor.\r\n2. There were indications of Vidar operators expanding their infrastructure, necessitating continued vigilance\r\nfrom analysts. We anticipated an influx of new customers and consequently a surge in campaigns in\r\nforthcoming weeks.\r\n3. The analysis revealed that Vidar operators had segregated their infrastructure into two distinct components:\r\none dedicated to regular customers and the other specifically catering to the management team, as well as\r\npotentially serving premium or high-priority users.\r\nAs a refresher, Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security\r\nresearcher Fumik0. Upon initial inspection, the identified sample appeared to be Arkei (another info-stealer),\r\nhowever differences in both the sample’s code and C2 communications were observed. The name itself (Vidar) is\r\nderived from a string found in the malware’s code, alluding to the Norse god Víðarr. Vidar is considered to be a\r\ndistinct fork of the Arkei malware family.\r\nhttps://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back\r\nPage 1 of 7\n\nAs of the end of January 2023 (and as described in our previous blog), Vidar’s administration and backend\r\ninfrastructure was configured as follows:\r\nhttps://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back\r\nPage 2 of 7\n\nFigure 1: Vidar Infrastructure as of January 2023\r\nOver the past four months, several changes have occurred within this infrastructure configuration. Therefore, the\r\nintention of this blog post is to provide a comprehensive update on how Vidar is administered / operated today.\r\nKey Findings\r\nVidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and\r\nRussia.\r\nEvidence suggests that since our last blog post, the threat actors have taken steps to anonymize their\r\nactivities using public VPN services.\r\nBy tracking the hosting of the main Vidar site (presently my-odin[.]com), we are able to monitor other\r\naspects of the threat actors infrastructure, potentially illuminating both affiliates and victims.\r\nVidar’s Spring Makeover(s)\r\nSince August 2022, Vidar threat actors have utilized the domain my-odin[.]com as the primary location for\r\nmanaging various elements of their operation, including affiliate authentication, file sharing, and panel\r\nadministration. Previously, it was possible to download any files hosted on the URL path /private, such as the bash\r\nscript responsible for installing the necessary components for a new Vidar campaign, making it possible to\r\nhttps://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back\r\nPage 3 of 7\n\nmonitor malware updates. However, more recently, changes were made whereby if an unauthenticated attempt to\r\ndownload a file occurs, the user is redirected to the Vidar affiliate login page.\r\nIn the period since our previous blog post was published, there were two updates to the IP address used to host\r\nmy-odin[.]com. In parallel with these changes, updates were also made to the background infrastructure\r\nsupporting the Vidar operation, which we will detail below.\r\nTechnically speaking, the IP address for my-odin[.]com was updated three times, however in the case of the\r\nupdate from 186.2.166.15 (ProManaged LLC) to 5.252.179.201 (MivoCloud SRL) very little else changed, with\r\nthe infrastructure remaining largely as described in our previous blog post (Figure 1).\r\nMarch 2023\r\nAt the end of March 2023 the IP address was updated from 5.252.179.201 to 5.252.176.49, with the threat actors\r\ncontinuing their use of MivoCloud SRL-assigned infrastructure. With this transition, other alterations were also\r\nmade behind the scenes.\r\nThe primary IP address (the ‘Managing IP’ in Figure 1) used to manage 5.252.176.49 was accessed via ‘new’\r\npeers, utilizing the Remote Desktop Protocol (RDP). As far as we can tell, this server was previously accessed\r\ndirectly.\r\nFrom mid-March 2023 onwards, the RDP management activity was sourced from ProtonVPN relays which\r\nappeared to be used more broadly by other users, mainly for benign activities.\r\nBy using VPN infrastructure, which in at least part was also utilized by numerous other benign users, it is\r\napparent that the Vidar threat actors may be taking steps to anonymize their management activities by\r\nhiding in general Internet noise.\r\nIn addition to the changes in how the management IP is accessed, we also observed ‘new’ outbound connections\r\nfrom the IP (5.252.176.49) hosting my-odin[.]com.\r\nCommunications with infrastructure associated with ‘blonk[.]co’; Blonk is a recruitment platform which utilizes\r\nAI to match candidates with opportunities, in the way that dating applications match potential partners. The\r\nprecise reason for these communications being observed from Vidar management infrastructure is uncertain,\r\nhowever it is plausible that the threat actors may use this platform in their operations; for identifying targets /\r\nvictims, or perhaps even for recruitment.\r\nFinally, we continued to observe outbound connections to 185.173.93.98:443, a host located in Russia assigned to\r\nAdman LLC. In addition to the TCP/443 traffic it was also observed in GRE tunnelling activity with 5.252.176.49.\r\nThis IP (185.173.93.98) operates as a conduit between Vidar’s my-odin[.]com and proxy_pass infrastructure (we\r\ndetailed proxy_pass in our previous blog post).\r\nFigure 2 below summarizes the Vidar infrastructure as of the end of April 2023, as detailed above.\r\nhttps://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back\r\nPage 4 of 7\n\nFigure 2: Vidar Infrastructure as of April 2023\r\nMay 2023\r\nDuring May 2023, we observed the initiation of the process to update the hosting IP for my-odin[.]com once\r\nmore. Again (this finding was also documented in our previous blog post) the Vidar threat actors reused the same\r\nSSL certificate when transferring infrastructure, revealing the new IP address; 185.229.64.137 (S.C. INFOTECH-GRUP S.R.L.).\r\nFigure 3: SSL Certificate for my-odin[.]com\r\nBased on our network telemetry data, we can see that communications with 185.229.64.137 commenced on 03\r\nMay 2023; this aligns with other open source passive DNS information for the domain resolution.\r\nhttps://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back\r\nPage 5 of 7\n\nFigure 4: Summarized Communications Involving 185.229.64.137\r\nThe behaviour of the new IP address hosting my-odin[.]com remains broadly consistent with previous\r\n(5.252.176.49), however we also observe inbound connections from Tor relays; potentially evidence of Vidar\r\naffiliates accessing their accounts / malware repositories.\r\nThe change in infrastructure detailed above is summarized in Figure 5 below.\r\nFigure 5: Vidar Infrastructure as of June 2023\r\nConclusion\r\nThis short update provides further insight into the ‘behind-the-scenes’ operation of Vidar, demonstrating the\r\nevolution of its management infrastructure as well as evidence of steps taken by the threat actors to potentially\r\nhttps://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back\r\nPage 6 of 7\n\ncover their tracks. By continuing to track this infrastructure we are able to identify future changes, as well as\r\nuncovering evidence which may support victim and/or affiliate identification.\r\nElements of the infrastructure were redacted from this blog post as investigations are currently ongoing; lower\r\nconfidence aspects will be shared in the future once confirmation of findings have taken place.\r\nAs ever, we will continue to update the community on any new or emergent findings related to Vidar and other\r\nconnected threats.\r\nRecommendations\r\nUsers of Pure SignalTM Recon and Scout are able to track Vidar management infrastructure by querying\r\nfor my-odin[.]com or the associated hosting IP addresses referenced in this blog post.\r\nSource: https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back\r\nhttps://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back"
	],
	"report_names": [
		"darth-vidar-the-aesir-strike-back"
	],
	"threat_actors": [],
	"ts_created_at": 1775434400,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/46d7462428faaa803caf48aaddc5f94fe207f511.pdf",
		"text": "https://archive.orkl.eu/46d7462428faaa803caf48aaddc5f94fe207f511.txt",
		"img": "https://archive.orkl.eu/46d7462428faaa803caf48aaddc5f94fe207f511.jpg"
	}
}