{
	"id": "11eb6bc7-ad47-478f-abb7-60dc04c6249d",
	"created_at": "2026-04-06T00:16:20.455474Z",
	"updated_at": "2026-04-10T03:19:56.844094Z",
	"deleted_at": null,
	"sha1_hash": "85ac956ea98badc9e21b282c77b4f6911b3ae036",
	"title": "Vidar Stealer Picks Up Steam! - Tutorials, Tips \u0026 Tricks - Emerging Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 567486,
	"plain_text": "Vidar Stealer Picks Up Steam! - Tutorials, Tips \u0026 Tricks -\r\nEmerging Threats\r\nPublished: 2023-01-18 · Archived: 2026-04-05 19:25:53 UTC\r\npost by ishaughnessy on Jan 18, 2023\r\nEmerging Threats has observed an uptick in Vidar Stealer malware that abuses Steam user profiles to distribute C2\r\nserver configuration. Vidar Stealer is an information stealer that is either a fork or related to the Arkei information\r\nstealer. According to Checkpoint Vidar has become one of the top ten most prevalent malware families following a\r\nseries of fake Zoom campaigns. Vidar’s goal is usually to steal sensitive information from infected hosts such as\r\ndigital wallets and web browser information.\r\nWhen the sample first executes it begins to profile the machine. In one of the first steps it queries\r\napi[.]2ip[.]ua to acquire the victim host’s public IP address.\r\nThe sample then sends a request to a telegram account to retrieve the initial C2 server address. The malware\r\nuses the following static user agent for this request.\r\nMozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0\r\nExample GET Request\r\nhttps://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271\r\nPage 1 of 7\n\nTelegram C2 Account\r\nC2 Format '\u003crandom name\u003e hxxp://\u003cip_address\u003e|'\r\nOnce the C2 IP address is retrieved the sample performs a check-in and receives instructions on what data should\r\nbe stolen.\r\nC2 Instructions in Response\r\nOnce the instructions are received, the client will download a .zip containing several benign .dll’s that are used to\r\nharvest data from the host. Common names for the archive are:\r\nPack.zip\r\nUpgrade.zip\r\nupdate.zip\r\nhttps://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271\r\nPage 2 of 7\n\nContents of pack.zip\r\nAfter the resources are downloaded, Vidar creates a .zip containing the stolen data which is then base64 encoded\r\nand exfiltrated via a POST request.\r\nExfiltration Traffic\r\nhttps://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271\r\nPage 3 of 7\n\nBase64 Decoded Traffic Reveals Stolen Firefox History\r\nContents Of Exfiltrated .zip\r\nScreen Shot Of The Victim Desktop Is Taken During Execution And Exfiltrated\r\nhttps://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271\r\nPage 4 of 7\n\nIn another sample a steam profile can be seen in the memory during execution. Upon reviewing the profile, there\r\nis another C2 address which is used for further exfiltration.\r\nSteam Profile With C2 Server Address In Username\r\nAdditional Checkin And Exfil To C2 Server From Steam Profile\r\nHere are a few steam profiles that have been used to host C2 server config.\r\nProfile: hxxps://steamcommunity.com/profiles/76561199469016299\r\nC2: hxxp://78.47.225[.]61|\r\nProfile: hxxps://steamcommunity.com/profiles/76561199469677637\r\nC2: hxxp://78.47.172[.]233|\r\nProfile: hxxps://steamcommunity.com/profiles/76561199443972360\r\nC2: hxxp://78.46.238[.]118|\r\nProfile: hxxps://steamcommunity.com/profiles/76561199446766594\r\nC2: hxxp://78.47.233[.]145|\r\nProfile: hxxps://steamcommunity.com/profiles/76561199445991535\r\nC2: hxxp://142.132.169[.]161|\r\nProfile: hxxps://steamcommunity.com/profiles/76561199441933804\r\nhttps://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271\r\nPage 5 of 7\n\nC2: hxxp://142.132.236[.]84|\r\nAfter contacting Steam regarding this C2 distribution method, they’ve concluded that it is important for users to\r\nbe able to share information via their profile and will not be taking action. As of 2023/01/18 all of the above steam\r\nprofiles are still active after reporting the accounts for abuse.\r\nReferences\r\nVidar Trojan Analysis, Malware Overview by ANY.RUN\r\nSeptember 2022’s Most Wanted Malware: Formbook on Top While Vidar ‘Zooms’ Seven Places - Check Point\r\nBlog\r\nIOCs\r\n## C2 IP Adresses ##\r\n5.75.182.6\r\n78.47.225.61\r\n78.47.172.233\r\n78.47.233.145\r\n78.46.238.118\r\n91.107.158.249\r\n142.132.169.161\r\n## Files (MD5) ##\r\n40d5e0f066caa3b5cdb4f97a6adf7bac\r\nE8b5ced1c7421ee80a25afe48e816a08\r\nDeb6e2ba0b5da298a176f135d0dbb902\r\n99ba29aa0086b1b1ac838d206b49715c\r\n## Telegram Accounts ##\r\nhttps://t.me/tgdatapacks\r\nhttps://t.me/jetbim\r\n## Steam Profiles ##\r\nhttps://steamcommunity.com/profiles/76561199469016299\r\nhttps://steamcommunity.com/profiles/76561199469677637\r\nhttps://steamcommunity.com/profiles/76561199443972360\r\nhttps://steamcommunity.com/profiles/76561199446766594\r\nhttps://steamcommunity.com/profiles/76561199445991535\r\nhttps://steamcommunity.com/profiles/76561199441933804\r\nET Vidar Signatures\r\nhttps://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271\r\nPage 6 of 7\n\nET MALWARE Arkei/Vidar/Mars Stealer Variant - 2036316\r\nET MALWARE Arkei/Vidar/Mars Stealer Variant CnC checkin commands - 2038523\r\nET MALWARE Arkei/Vidar/Mars Stealer Variant Data Exfiltration Attempt - 2038525\r\nET MALWARE Arkei/Vidar/Mars Stealer Variant DLL GET Request - 2038524\r\nET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI - 2035873\r\nET MALWARE Possible Vidar Stealer C2 Config In Steam Profile - 2043334\r\nET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil - 2029236\r\nET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern - 2034813\r\nET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved - 2035911\r\nET MALWARE Vidar/Arkei Stealer Client Data Upload - 2025431\r\nET MALWARE Vidar Stealer CnC Domain in DNS Lookup - 2035872\r\nET MALWARE Vidar Stealer - FaceIt Checkin Response - 2033066\r\nET MALWARE Vidar Stealer IP Address in DNS Query Response - 2043248\r\nET MALWARE Vidar Stealer Payload Delivery Domain (audacitya .org) in DNS Lookup - 2040140\r\nET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET) - 2036667\r\nET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil - 2033163\r\nET MALWARE Win32/Vidar Variant/Mars Stealer Resources Download - 2036654\r\nETPRO MALWARE Arkei/Vidar/Mars Stealer Variant CnC Response - 2853039\r\nETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent Observed - 2853038\r\nETPRO MALWARE Arkei/Vidar Stealer Variant - Telegram Mirror Checkin - 2851826\r\nETPRO MALWARE Vidar/Arkei/Oski Variant Stealer POSTing Data to CnC - 2842708\r\nETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Retrieving Payload - 2841407\r\nETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information - 2841237\r\nETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information M2 - 2841406\r\npost by ishaughnessy on Jan 12, 2024\r\nSource: https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271\r\nhttps://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271"
	],
	"report_names": [
		"271"
	],
	"threat_actors": [],
	"ts_created_at": 1775434580,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85ac956ea98badc9e21b282c77b4f6911b3ae036.pdf",
		"text": "https://archive.orkl.eu/85ac956ea98badc9e21b282c77b4f6911b3ae036.txt",
		"img": "https://archive.orkl.eu/85ac956ea98badc9e21b282c77b4f6911b3ae036.jpg"
	}
}