{ "id": "1d8059f0-4c30-465e-af2f-e78f472682a4", "created_at": "2026-04-06T00:11:10.337857Z", "updated_at": "2026-04-10T03:31:49.920072Z", "deleted_at": null, "sha1_hash": "830f94c5c82d2f1e19b6bf8820d6cc7154bcab5b", "title": "Tracking Vidar Infrastructure with Censys", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1216289, "plain_text": "Tracking Vidar Infrastructure with Censys\r\nBy Brenda Mendoza\r\nPublished: 2023-11-22 · Archived: 2026-04-05 21:52:56 UTC\r\nIntroduction\r\nStealers are trojans that collect credentials, notable files, and tokens from an infected computer and upload the\r\ndata back to attacker-controlled infrastructure. Today, we will discuss one of the more advanced stealers: Vidar.\r\nVidar is a piece of malware originating from the Arkei Stealer but uses new methods to find and direct traffic to\r\nthe attacker.\r\nVidar Operational Details\r\nVidar uses common network communication methods, and once in place, it will connect to a Telegram server to\r\nfetch the URL of the Command and Control (C2) server. In the following two screenshots, you will see examples\r\nof this C2 distribution method via Telegram or, if that fails, a backup Steam account.\r\nhttps://censys.com/tracking-vidar-infrastructure/\r\nPage 1 of 6\n\nExample of a Telegram account pointing to the Vidar C2 server\r\nExample of Steam account pointing to the Vidar C2 server\r\nOnce the C2 server connection has been established, Vidar will start the process of exfiltrating data from the host\r\nto the attacker-owned server.\r\nhttps://censys.com/tracking-vidar-infrastructure/\r\nPage 2 of 6\n\nHere, we see seven different HTTP GET requests made to the C2, which downloads several legitimate DLLs:\r\n/sqlite3.dll\r\n/freebl3.dll\r\n/mozglue.dll\r\n/msvcp140.dll\r\n/nss3.dll\r\n/softokn3.dll\r\n/vcruntime140.dll\r\nhttps://censys.com/tracking-vidar-infrastructure/\r\nPage 3 of 6\n\nVidar then takes a screenshot of the user’s desktop, collects information about the user’s system (browser cookies,\r\npasswords, etc…), and sends it all over the C2’s HTTPS connection via a multipart form data POST request. Note\r\nthat these servers will only allow POST requests from specific user agents such as the example below.\r\nBecause this C2 uses TLS, we can view its specific hardcoded subject and issuer-distinguished names (DNs) on\r\nthe host’s certificate:\r\nThis is particularly noteworthy, as it can provide a method for identifying these C2 servers, which can be found\r\nwith the following Censys search query:\r\nservices.tls.certificates.leaf_data.subject_dn: “C=XX, ST=NY, L=NY, O=StaticIP, OU=privateIP”\r\nhttps://censys.com/tracking-vidar-infrastructure/\r\nPage 4 of 6\n\nIf the reader wishes to automate a system to pull down a list of known Vidar C2 servers, the following Censys CLI\r\ncommand can be used:\r\nVidar’s Scope on the Internet\r\nNote: For this study, we define a “host” as a unique collection of service data associated with an IP address and\r\none or more host names. We consolidate hostnames serving the same service data as their bare IP counterparts for\r\ndeduplication purposes. Censys Search will sometimes show separate entries for the same physical IP address for\r\nmultiple hostnames.\r\nAt the time of writing, Censys observed 22 unique IP addresses associated with a Vidar campaign (some with\r\nmultiple hostnames) which can be seen within Censys search results.\r\nInterestingly, most of these C2 services are isolated to two distinct internet providers within two countries:\r\nAS24940 (HETZNER-AS) with 21 distinct hosts (19 located in Germany and 2 located in Finland) and a\r\nsingle host running in AS202448 (MVPS) in the country of Finland.\r\nWhy Vidar Matters\r\nThis malware is a tool of choice for Scattered Spider, a cybercriminal organization known for targeting large\r\ncompanies and IT help desks. Along with their ability to social engineer some of the largest organizations,\r\nScattered Spider engages in data theft for extortion and has been known to deploy ransomware alongside Vidar.\r\nHigh-profile targets like MGM and Caesars have fallen victim to their attacks, underscoring the severity of the\r\nthreat.In response to these recent attacks, the FBI and CISA have issued recommendations for organizations\r\nrunning critical infrastructure to mitigate and reduce the likelihood and impact of attacks by Scattered Spider\r\nactors.\r\nCommand and control (C2) Indicators\r\nhttps://censys.com/tracking-vidar-infrastructure/\r\nPage 5 of 6\n\nSome of the C2 hosts are only accessible by hostname (i.e., cannot be seen via the bare metal IP address), so for\r\nany line here that includes an “$IP+$hostname,” this indicates that a hostname must be included within the request\r\n(either via SNI, or the HTTP Host header).\r\nSource: https://censys.com/tracking-vidar-infrastructure/\r\nhttps://censys.com/tracking-vidar-infrastructure/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://censys.com/tracking-vidar-infrastructure/" ], "report_names": [ "tracking-vidar-infrastructure" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434270, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/830f94c5c82d2f1e19b6bf8820d6cc7154bcab5b.pdf", "text": "https://archive.orkl.eu/830f94c5c82d2f1e19b6bf8820d6cc7154bcab5b.txt", "img": "https://archive.orkl.eu/830f94c5c82d2f1e19b6bf8820d6cc7154bcab5b.jpg" } }