{
	"id": "b6236b0a-a2f3-4881-958a-b8bcd2f97846",
	"created_at": "2026-04-06T00:12:25.62802Z",
	"updated_at": "2026-04-10T03:21:13.109652Z",
	"deleted_at": null,
	"sha1_hash": "47e61e0c31cc7f3e131f36c16a6c99ce4d2f7481",
	"title": "Darth Vidar: The Dark Side of Evolving Threat Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1764308,
	"plain_text": "Darth Vidar: The Dark Side of Evolving Threat Infrastructure\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 13:14:35 UTC\r\nSummary\r\nThree key takeaways from our analysis of Vidar infrastructure:\r\n1. Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more\r\nchallenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to\r\nTor.\r\n2. Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights. We expect a\r\nnew wave of customers and as a result, an increase of campaigns in the upcoming weeks.\r\n3. The analysis indicates that Vidar operators have split their infrastructure into two parts; one dedicated to their regular\r\ncustomers and the other for the management team, and also potentially premium / important users.\r\nIntroduction\r\nVidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. Upon\r\ninitial inspection, the identified sample appeared to be Arkei (another info-stealer), however differences in both the sample’s\r\ncode and C2 communications were observed. The name itself (Vidar) is derived from a string found in the malware’s code.\r\nVidar is considered to be a distinct fork of the Arkei malware family.  \r\nVidar has a simple business model, with “customers'' paying between $130 and $750 depending on the length of their\r\nsubscription. Some personalization of the tool is possible, for example to tweak the targeted information types, although by\r\ndefault Vidar is designed to steal, amongst other things; browser histories, cookies, credentials, cryptocurrency wallets, and\r\ntwo-factor authentication software data.\r\nThe delivery methodology for Vidar has varied over time, utilizing email / phishing lures and ‘poisoned’ cracked software\r\ntargeting vendors such as AnyDesk and Windows, the latter leveraging SEO impersonation and YouTube videos to dupe\r\nusers into downloading the malware.\r\nFour years after Vidar was first discovered it is now the ‘parent’ of further forks, including; Lumma, Mars, and Oski.\r\nIn this post, we’ll look into the Vidar management infrastructure, starting with the ‘main’ website and pivoting from there.\r\nThis website is at the same time; the Vidar customer portal where payloads, settings, victims assets, etc. can be managed, the\r\nVidar management portal likely used for interactions with their customers, and a staging post for the deployment of VPS\r\nservers.\r\nVidar Website Overview\r\nAs observed by Fumik0 back in 2018, the ‘main’ Vidar website was hosted at my-vidar[.]com, and remained at this location\r\nuntil 22 August 2022. On this date the site was moved to my-odin[.]com, initially reusing the same SSL certificate.\r\nFigure 1: SSL Certificate for my-vidar[.]com\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 1 of 10\n\nFigure 2: Domains Hosting the SSL Certificate\r\nThe following day the SSL certificate was updated; the threat actors likely realized they had created a trail to their new site.\r\nVisually the site remained the same following the switch in domains, with the home page displaying a long text on the\r\norigins of Vidar from a mythological perspective. This text identifies Vidar as the son of Odin (“He is the son of the chief of\r\nthose gods, Odin”), providing an explanation for the use of the ‘my-odin[.]com’ domain.\r\nNavigating on URI paths on the my-odin[.]com domain led to the discovery of several paths which are accessible without\r\nlogging in as a user.\r\nFigure 3: URI Paths on the my-odin[.]com Domain\r\n/auth/\r\nThis path contains the Vidar users (or customers) web portal, where access to a dashboard is provided for the management of\r\npayloads related to their campaigns, victim assets, etc.\r\n/private/\r\nThis path contains at least two files:\r\n1. install.sh\r\nA bash script which is run on the user / customer VPS server to download all the web-server requirements for the set up of a\r\nnew Vidar campaign.\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 2 of 10\n\nFigure 4: install.sh\r\n2. Vida.tar.bz2\r\nThis archive contains all of the aforementioned Vidar web-server requirements and also the Vidar payload.\r\nWe’ll detail findings related to this archive later in this post.\r\n/sellers/auth/login\r\nThis path appears to be of particular significance to the operation, as the connection form not only requires user credentials\r\nbut also a Google Authenticator token. We assess with medium confidence that this portal is used by the operators for\r\nmaintenance purposes.\r\nNetwork Telemetry\r\nBy examining network telemetry for the IP address used to host the my-odin[.]com domain (186.2.166.15), we were able to\r\ndetermine the peer IP responsible for its management. We have chosen to redact this IP due to the ongoing nature of this\r\ninvestigation.\r\nThis management IP is subsequently used for other activities which we have deemed of relevance to the Vidar operation.\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 3 of 10\n\nFigure 5: Overview of Network Telemetry\r\nTelegram\r\nWe assess that the connections to Telegram infrastructure are indicative of communications between the Vidar operators and\r\ntheir customers, as well as other elements of the underground economy.\r\nMega\r\nConnections were observed to Mega user storage infrastructure (*.userstorage.mega.co.nz), these repositories are hosted on\r\nshared infrastructure so it was not possible to discern specific user identification associated with Vidar.\r\nBofbot\r\nBofbot appears to be a cryptocurrency / investment platform of questionable legitimacy. It is possible the Vidar operators\r\nutilize Bofbot for the processing of payments from their customers, or even a service they are involved in running\r\nthemselves - the IP hosting the Bofbot domain was previously used to host the original my-vidar[.]com domain.\r\nThe IP addresses hosting bofbot[.]com and my-odin[.]com are both assigned to ‘ProManaged LLC’, an entity which\r\nprovides dedicated hosting, DDoS-protection, etc. ProManaged LLC was previously associated with malicious hosting\r\nprovision.\r\nAside from the activity surrounding the management IP, we have observed some interesting connections to the my-odin[.]com website via six VPN gateways, with activity commencing in November 2022. All six gateways are linked to\r\n‘Hola[.]org’.\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 4 of 10\n\nFigure 6: Hola VPN Connections\r\nThe static nature of these connections may be indicative of a particular operator / customer accessing the site via Hola VPN,\r\nor potentially a more widely shared methodology aimed at providing anonymity to the Vidar users. However, as the true\r\nsource of the connections cannot be determined, these remain hypotheses at this time.\r\nIn recent weeks we have also observed some of the VPN connections being replaced by traffic from the Tor network.\r\nWhat’s Inside the Archive?\r\nAs previously mentioned, the archive utilized by Vidar customers to initiate their campaigns is named ‘Vida.tar.bz2’. This\r\narchive contains all the server files needed to run the necessary configuration.\r\nproxy.conf\r\nAn interesting finding is in the “proxy.conf” file, containing the settings corresponding to the campaign’s proxy setup; with a\r\nremote server IP provided as the proxy_pass value.\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 5 of 10\n\nFigure 7: proxy.conf\r\nAs can be observed in Figure 7, the current proxy_pass IP is 94.231.205.192, and this value appears to be updated\r\nfrequently; at least for every new version release of Vidar.\r\nPrior to the latest Vidar release at the beginning of January 2023, the proxy_pass IP was 194.99.22.147; both recent\r\nproxy_pass IPs are assigned to ‘MVPS LTD’. It appears that the Vidar operators have a preference for this particular\r\nprovider, as the previous my-vidar[.]com domain was also hosted on one of their IPs (185.243.215.136).\r\nBased on PDNS data, the most recent domain hosted on 185.243.215.136 is old.my-vidar[.]net, which remains resolvable\r\nand hosts the same files as my-odin[.]com; although the files point to the new site. It appears this domain (old.my-vidar[.]net) has been retained as part of the migration process.\r\nExamining network telemetry data for the current proxy_pass IP (94.231.205.192) we are able to define the behavior of the\r\ninfrastructure sitting behind it.\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 6 of 10\n\nFigure 8: Proxy Pass Network Telemetry\r\nWe can see that the proxy_pass IP is used to route traffic to TCP/80 on 185.173.93.98 (ADMAN-AS, RU), an IP which also\r\nreceives inbound connections from two further IPs assigned to ‘ProManaged LLC’.\r\nFrom 185.173.93.98 we also observe a point-to-point connection with 5.252.179.201 (MivoCloud SRL, RU), using the GRE\r\nprotocol. In turn, we observe 5.252.179.201 in communication with several Vidar C2s on remote port TCP/80, as well as\r\nreceiving inbound communications from the initial Vidar management IP (Figure 5), and a number of IPs identified as Tor\r\nnodes / relays.\r\nHistoric PDNS data for 5.252.179.201 shows it hosting new.my-vidar[.]net and new.my-odin[.]com until 24 December\r\n2022. The observed SSL certificate hosted on 5.252.179.201 was also, for a short period of time, hosted on a second IP\r\naddress.\r\nFigure 9: 5.252.179.201 SSL Certificate\r\nThe second IP (5.252.176.64) currently hosts the domain new.my-odin[.]com.\r\nWe assess that this server may be used in the future by the Vidar operators, but for now traffic remains minimal.\r\nproxy.conf Continued\r\nAside from the proxy_pass IP address, another interesting detail in this file provides intel for the retrieval of malware\r\nconfiguration information, as well as also for potential hunting opportunities.\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 7 of 10\n\nUsually when requesting a Vidar C2 a 403 error is returned; as an unauthorized request for a resource. However, from the\r\nproxy.conf file (Figure 7) we can see that access will be granted when using an empty User-Agent; based on the line “if\r\n($http_user_agent != \"\") { return 403; }”.\r\nFigure 10: Vidar Configuration Extraction Example\r\nIn the example above, we were able to extract the configuration for a recent Vidar C2 (65.109.190.87) by using this\r\nmethodology.\r\nAs mentioned previously, Vidar allows for customer interaction with its configuration, so in the past few days when\r\nrequesting this particular C2, we have obtained various different configurations:\r\n1,1,1,1,1,41c46b16f0a37f117ca48ec104248136,1,0,1,0,0,Default;%DOCUMENTS%\\;*.txt;50;true;movies:music:mp3:exe;\r\n1,1,1,1,1,c519931eb60ec791d08d29432098c4a8,1,1,1,1,0,Default;%DOCUMENTS%\\;*.txt;900;true;movies:music:mp3:exe;Recent;%RECENT%\r\n1,1,1,1,1,d0d81123a4d0eece79fc6f8c465db7c8,1,1,1,1,0,decuments;%DOCUMENTS%\\;*.txt:*.doc:*.docx:*.rtf:*.xls:*.xlsx;300;false;movies:mu\r\n1,1,1,1,0,9fe632d67af2e40151f7e9fafe7a08fb,1,1,1,0,0,Default;%DOCUMENTS%\\;*.txt;50;true;movies:music:mp3:exe;\r\nThese configurations provide an insight into the evolution of a campaign, in the first example the malware is directed to grab\r\n.txt files located in directories containing the string DOCUMENTS with a maximum file size of 50kb. In the second and\r\nthird example further profiles have been added to grab additional file types in several different directories.\r\nVidar Payload Updates\r\nSince the beginning of 2023, three Vidar version updates have been released, mostly recently on 13 January 2023 with the\r\nrelease of version 2.0 (following versions 1.9 and 1.8).\r\nVidar version 1.8 re-introduced the form-grabbing feature for the Opera Crypto browser, as well as the collection of Opera\r\nCrypto wallet data.\r\nFigure 11: Targeting of Opera Crypto\r\nThese updates were first observed in the wild in use by the DJVU ransomware operators (within botnet 19).\r\nIn the campaign observed by Team Cymru’s S2 Research team, two domains were utilized for the staging of DJVU\r\nransomware (spaceris[.]com) and Vidar (uaery[.]top).\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 8 of 10\n\nFigure 12: DJVU Ransomware Campaign\r\nSince 16 January 2023, the Vidar crew has published a new payload upgrade, which now leads to the 2.1 version. Once\r\nagain, this was first observed in use during a DJVU campaign, involving the same C2 domains as previously;\r\nspaceris[.]com and uaery[.]top.\r\nIn addition to DJVU, we have also observed the most recent versions of Vidar being deployed alongside other payloads,\r\nsuch as IcedID and Redline Stealer.\r\nConclusion\r\nSince August 2022, we have observed the Vidar operators updating and expanding their infrastructure, seemingly preparing\r\nfor a future influx of customers.\r\nBased on recent updates, including the re-introduction of the form-grabbing functionality for the Opera Crypto browser, and\r\nimprovements in security with proxies being rotated more frequently, it is apparent that the Vidar operators are listening to\r\ntheir current customers at the same time as seeking new ones.\r\nBy analyzing the network telemetry data surrounding the Vidar website, we are able to discern how both operators and\r\ncustomers access the Vidar management infrastructure, with some further indications of how other elements of the operation\r\nfall into play; for example the traffic to Mega and Telegram infrastructure.\r\nBy examining the proxy_pass infrastructure we were also able to ascertain how data may be transferred from C2 servers\r\nback to the central management infrastructure.\r\nOverall, we assess that the Vidar operation is becoming more competent and we would expect to see the rate of update\r\nreleases and infrastructure adjustments to continue during 2023.\r\nWe will continue to monitor this threat, to assess any reactions to this publication and to share any subsequent updates or\r\nchanges in TTPs with the community.\r\nFor day to day updates on Vidar and other threats, you can follow us on Twitter or Mastodon.\r\nIOCs\r\nVidar 1.9 13e384c54054a094b8045928c8ec9d3697372e551e4887b4ea9e18e319f0f40b\r\nVidar 2.1 89710436ac93f0216ddd9338d76d1dcbf3cfb3991d72ae1a1d310eeb3699c439\r\nVidar main website 186.2.166.15 | my-odin[.]com\r\nBofbot platform 186.2.166.10 | bofbot[.]com\r\nProxy Pass IP (Jan2023) 94.231.205.192\r\nProxy Pass IP (Dec2023) 194.99.22.147\r\nRerouted proxy traffic 185.173.93.98\r\nPotential future Vidar website 5.252.176.64 | new.my-odin[.]com\r\nOld Vidar website 185.243.215.136 | old.my-vidar[.]com\r\nVidar C2s\r\nhttps[:]//t[.]me/tgdatapacks\r\nhttps[:]//t[.]me/year2023start\r\nhttps[:]//t[.]me/jetbim\r\nhttps[:]//steamcommunity[.]com/profiles/76561199469677637\r\nhttps[:]//steamcommunity[.]com/profiles/76561199467421923\r\nhttps[:]//steamcommunity[.]com/profiles/76561199471266194\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 9 of 10\n\nDJVU payload host 175.120.254.9 | spaceris[.]com\r\nDJVU Vidar 1.9 | 2.1 host 187.232.159.164 | uaery[.]top\r\nRecommendations\r\nFor Recon customers, add 94.231.205.192 and 194.99.22.147 to a query, filtering on port TCP/80. In addition, monitoring\r\nrecent Vidar C2s reported on Threatfox and looking for traffic on port TCP/80 would also be a good thing to do.\r\nFor BARS customers, watch out for Vidar controller and victim information appearing in your feeds in the near future.\r\nSource: https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nhttps://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure"
	],
	"report_names": [
		"darth-vidar-the-dark-side-of-evolving-threat-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434345,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47e61e0c31cc7f3e131f36c16a6c99ce4d2f7481.pdf",
		"text": "https://archive.orkl.eu/47e61e0c31cc7f3e131f36c16a6c99ce4d2f7481.txt",
		"img": "https://archive.orkl.eu/47e61e0c31cc7f3e131f36c16a6c99ce4d2f7481.jpg"
	}
}