{
	"id": "b625e1b6-47c7-465c-aea0-7a4712b97c78",
	"created_at": "2026-04-06T00:14:32.914119Z",
	"updated_at": "2026-04-10T03:20:04.061461Z",
	"deleted_at": null,
	"sha1_hash": "659c677b8bb6b20786aef74da151713be03e708d",
	"title": "Vidar Info-Stealer Abusing Game Platform - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1516520,
	"plain_text": "Vidar Info-Stealer Abusing Game Platform - ASEC\r\nBy ATCP\r\nPublished: 2021-05-24 · Archived: 2026-04-05 16:51:00 UTC\r\nThe ASEC analysis team has recently found out that the Vidar info-stealer malware is abusing a game matching\r\nprogram named Faceit to create C\u0026C server URL. Vidar is malware that has been steadily distributed from the\r\npast disguised as spam mail, PUP, and KMSAuto authentication tool.\r\nBefore it performs info-stealing activities, it connects to C\u0026C server to receive commands and download\r\nadditional DLL files to collect user information. In the past, the malware simply connected to C\u0026C server and\r\nreceived commands and additional files like other malware. Yet the recent Vidar abuses online gaming platforms\r\nto actually create C\u0026C server.\r\nFaceit is a platform which supports game matching for online game users. It supports various online games such\r\nas PLAYERUNKNOWN’S BATTLEGROUNDS, DOTA 2, and Counter Strike: Global Offensive.\r\nhttps://asec.ahnlab.com/en/22932/\r\nPage 1 of 5\n\nList of games supported by Faceit\r\nAs for Vidar abusing the platform, it first creates an API URL for faceit.com before communicating with the C\u0026C\r\nserver. The URL created by the routine shown below is as follows: ‘sslamlssa’ is the attacker’s Faceit ID.\r\n– hxxps://api.faceit[.]com/core/v1/nicknames/sslamlssa\r\nhttps://asec.ahnlab.com/en/22932/\r\nPage 2 of 5\n\nRoutine for creating C\u0026C URL\r\nWhen Vidar requests HTTP GET for the URL shown above, it receives the json format data from faceit.com. The\r\nmalware parses the ‘about’ part in the data, which is the actual URL for the C\u0026C server.\r\n– hxxp://188.34.193[.]205\r\nData received from faceit.com\r\nhttps://asec.ahnlab.com/en/22932/\r\nPage 3 of 5\n\nAPI result for the malicious user\r\nWhen logged in to faceit.com, the malware’s C\u0026C server address is shown in the ABOUT part of the profile page\r\nof the user ‘sslamlssa’.\r\nMalicious user’s profile\r\nIf the attacker edits the About part and enters another address, the Vidar info-stealer will connect to the changed\r\nC\u0026C server and continue to perform malicious activities. If Faceit’s attacker account is not blocked, the attacker\r\ncan repeatedly edit the C\u0026C server to make the same malware connect to different C\u0026C servers. It is likely that\r\nthe attacker is using the method to bypass network detection for the C\u0026C URL.\r\nVidar connects to the actual C\u0026C servers established and receives DLL files needed for commands and info-stealing, and ultimately sends the stolen information to the C\u0026C server. See the data sent below, which shows that\r\nVidar’s version is v38.6.\r\nhttps://asec.ahnlab.com/en/22932/\r\nPage 4 of 5\n\nVidar’s network behavior\r\nWhen a suspicious-looking email arrives, users should not open the attachment file, try to use a genuine software\r\nat all times, and refrain from using suspicious websites and P2P. Also, update V3 to the latest version so that\r\nmalware infection can be prevented.\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:\r\n[File Detection]\r\n– Trojan/Win.Generic.C4452995 (2021.05.06.01)\r\n[Behavior Detection]\r\n– Malware/MDP.Behavior.M1965\r\n– Malware/MDP.Inject.M3034\r\n– Malware/MDP.Behavior.M3108\r\n[IOC]\r\nFile\r\n5a9c15ad92f14ce0b36726ccd4eb4ef7\r\nC\u0026C\r\n– hxxps://api.faceit[.]com/core/v1/nicknames/sslamlssa\r\n– hxxp://188.34.193[.]205\r\nSource: https://asec.ahnlab.com/en/22932/\r\nhttps://asec.ahnlab.com/en/22932/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/22932/"
	],
	"report_names": [
		"22932"
	],
	"threat_actors": [],
	"ts_created_at": 1775434472,
	"ts_updated_at": 1775791204,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/659c677b8bb6b20786aef74da151713be03e708d.pdf",
		"text": "https://archive.orkl.eu/659c677b8bb6b20786aef74da151713be03e708d.txt",
		"img": "https://archive.orkl.eu/659c677b8bb6b20786aef74da151713be03e708d.jpg"
	}
}