{
	"id": "3c101f04-22ec-4287-b925-578cea952a73",
	"created_at": "2026-04-06T01:32:32.217705Z",
	"updated_at": "2026-04-10T03:21:02.441547Z",
	"deleted_at": null,
	"sha1_hash": "6a6fe2abb687cd391300886045eca1ca3e87c42c",
	"title": "CyOps Lighthouse: Vidar Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1400819,
	"plain_text": "CyOps Lighthouse: Vidar Stealer\r\nBy George Tubin\r\nPublished: 2023-01-12 · Archived: 2026-04-06 01:26:09 UTC\r\nThe Darknet is home to many underground hacking forums. In these forums, cybercriminals talk freely: Sharing\r\nstories, tactics, success stories, and failures. Their conduct allows us to peek into the politics and ethics of those\r\ngroups and actors, as they talk about recent activities.\r\nCyOps Lighthouse aims to shed a light on those dark places. Apart from the underground forums, we will also\r\nprovide information regarding ongoing ransomware groups’ publications and worthy mentions from the last\r\nmonth.\r\nVidar Stealer – the attacker’s perspective\r\nExecutive summary:\r\nVidar stealer is a malware that is offered for sale in the MAAS (Malware as a service) model.\r\nIt is present since 2018, and it is a variant of the “Arkei stealer”.\r\nVidar is currently one of the top stealers that are available for sale and is responsible for a large sum of\r\ncompromised credentials offered for sale on underground forums and marketplaces.\r\nAnalysis:\r\nVidar stealer works as a MAAS, but unlike other stealers where buyers need to set their C2 and operate from it, all\r\nVidar admin operations are done via a dedicated website, that can be accessed either with a dedicated Onion\r\naddress or a regular “Clearnet” website, when entering the main URL we are greeted with the following:\r\nhttps://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nPage 1 of 9\n\nAn ode to Vidar, son of Odin and the god of vengeance.\r\nOnce we add the “Login” prompt to the URL, we can see Vidar’s operator login page:\r\nhttps://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nPage 2 of 9\n\nUpon successful login, we will be greeted with the main Vidar panel:\r\nhttps://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nPage 3 of 9\n\nThe default login will show us the “Dashboard”, a summary of all the operations taken by the operator, the\r\nnumber of infected machines, geolocation, Builder version (Updates automatically), the current funds available at\r\nthe crypto wallet, and all the stealers’ options and possibilities on the left.\r\nThe “Logs” section is divided into several subcategories:\r\n“All logs” is like the dashboard, it will show all logs in a given timeframe, with emphasis on the log contents:\r\n“Files” will show all files that were exfiltrated by the stealer:\r\n“Passwords” is self-explanatory, and “Logs for download” will show all logs that are ready for download.\r\nhttps://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nPage 4 of 9\n\nAs Vidar aims to be a “One stop shop”, it also provides the operators with a “Services” panel, where they can\r\nfilter and sign in directly to any SMTP/Banking/Cpanels/WordPress websites that were found in the logs.\r\nMoving over the “Workers” (Active bots) and “Statistics”, the settings panel is one of the most important assets of\r\nan operator.\r\nUnder the main page, an operator can decide what assets to target on the infected host, as well as set rules for\r\n“Grabber” – file exfiltration module, or “Loader” – set a rule for a follow-up activity on infected hosts.\r\nSettings:\r\nGrabber (Specify files type, max size, and folders to exfiltrate data):\r\nhttps://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nPage 5 of 9\n\nLoader:\r\nhttps://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nPage 6 of 9\n\nThe “Builder” tab related to creating an executable from the panel, can be adjusted to set multiple running\r\ncampaigns with different targets in mind, it also includes all the “Builder updates” – any constant updates that are\r\npushed by the Vidar team:\r\nhttps://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nPage 7 of 9\n\nThe builder tab is also where operators activate their subscription, according to the required timeframe:\r\nConclusion:\r\nVidar is among the top info stealers on the MAAS market.\r\nIt offers multiple “Follow up” activities as seen above, and all in the same Operator panel, this makes their pricing\r\na bit higher than other info stealers, but as the operation is going for a long period, Vidar has already amassed a\r\nreputation of a reliable malware.\r\nhttps://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nPage 8 of 9\n\nAs we noticed in May 2022, Vidar is also one of the main sources for info stealer logs on underground markets\r\nlike “Russian Marketplace”:\r\nVidar, like other info stealers, is not “just” a stealer, it is responsible for most compromised credentials offered on\r\nthe darknet and can also be used as a loader for Ransomware to follow up after a successful infection.\r\nWe strongly believe that unless an OPSEC mistake was to happen from the Vidar team, they will remain a\r\ntop threat to reckon with in 2023.\r\nSource: https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nhttps://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/"
	],
	"report_names": [
		"cyops-lighthouse-vidar-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775439152,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a6fe2abb687cd391300886045eca1ca3e87c42c.pdf",
		"text": "https://archive.orkl.eu/6a6fe2abb687cd391300886045eca1ca3e87c42c.txt",
		"img": "https://archive.orkl.eu/6a6fe2abb687cd391300886045eca1ca3e87c42c.jpg"
	}
}