{ "id": "b6b144da-a0d4-4042-b107-cad6804f006c", "created_at": "2026-04-06T00:19:28.395541Z", "updated_at": "2026-04-10T03:37:08.91882Z", "deleted_at": null, "sha1_hash": "8f81a577cf8b6052fea0ef2d025e8985e87f0261", "title": "Microsoft Windows 11 help Files have Vidar Spyware | Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1827465, "plain_text": "Microsoft Windows 11 help Files have Vidar Spyware | Zscaler\r\nBy Sudeep Singh, Santiago Vicente, Brett Stone-Gross\r\nPublished: 2022-05-19 · Archived: 2026-04-05 15:44:52 UTC\r\nSummary\r\nIn April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the\r\nofficial Microsoft Windows 11 OS download portal. We discovered these domains by monitoring suspicious traffic in our\r\nZscaler cloud. The spoofed sites were created to distribute malicious ISO files which lead to a Vidar infostealer infection on\r\nthe endpoint. These variants of Vidar malware fetch the C2 configuration from attacker-controlled social media channels\r\nhosted on Telegram and Mastodon network.\r\nThreatLabz believes that the same threat actor is actively leveraging social engineering to impersonate popular legitimate\r\nsoftware applications to distribute Vidar malware, as we have also identified an attacker-controlled GitHub repository which\r\nhosts several backdoored versions of Adobe Photoshop. These binaries hosted on GitHub, distribute Vidar malware using\r\nsimilar tactics of abusing social media channels for C2 communication.\r\nIn this blog, ThreatLabz analyzes the Vidar distribution vector, threat actor correlation, and technical analysis of the binaries\r\ninvolved in this campaign.\r\nKey points\r\nThreatLabz discovered several newly registered domains spoofing the official Microsoft Windows 11 OS download\r\nportal\r\nThe spoofed domains were distributing malicious ISO files containing samples of the Vidar infostealer malware\r\nThe actual C2s used by the malware samples are obtained from attacker-controlled social media channels hosted on\r\nTelegram and Mastodon network\r\nUsing data obtained from this campaign, ThreatLabz was also able to identify another similar one using backdoored\r\nversions of Adobe Photoshop\r\nDistribution Vector - Windows 11 Theme\r\nThe threat actor registered several domains beginning 20th April 2022 that host web pages that masquerade as the official\r\nMicrosoft Windows 11 download page, which is the latest version of the operating system. ThreatLabz found several other\r\ndomains registered by this threat actor similar to the one shown below in Figure 1. All of these domains were used to spread\r\nmalicious ISO files spoofed as a Windows 11 download.\r\nFigure 1: Vidar attacker-controlled domain serving malicious ISO file\r\nThe complete list of domains linked to this threat actor that were used in this campaign are mentioned in the Indicators of\r\nCompromise (IOC) section.\r\nTechnical Analysis\r\nISO file\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 1 of 12\n\nThe binary inside the ISO file is a PE32 binary. The size of the ISO file is very large (more than 300 MB), which helps the\r\nattackers evade network security products where there is a file size limitation in place. Example MD5 hashes for this\r\ncampaign are shown below:\r\nISO file MD5 hash: 52c47fdda399b011b163812c46ea94a6\r\nPE32 file MD5 hash: 6352540cf679dfec21aff6bd9dee3770\r\nThe binary inside the ISO file is digitally signed with a certificate by AVAST. However, this certificate is expired and hence\r\ninvalid.\r\nFigure 2 shows the details of the certificate and the corresponding serial number.\r\nFigure 2: Details of the certificate used to sign the malicious Vidar binary\r\nAll of the binaries in this campaign were signed by a certificate with the same serial number. By pivoting on this serial\r\nnumber, we were able to discover several other malicious binaries from multiple different campaigns and actors, which\r\nlikely indicates that this is a stolen certificate coming from the AVAST compromise back in 2019.\r\nVidar Samples\r\nThe Vidar samples in these campaigns are all packed with Themida (except for the MD5 hash\r\n6ae17cb76cdf097d4dc4fcccfb5abd8a) and over 330MB in size. However, the sample contains a PE file that is only around\r\n3.3MB. Figure 3 shows that the rest of the file content is just artificially filled up with 0x10 bytes to increase the file’s size.\r\nThe Vidar strings extracted from these samples is provided in the Appendix section at the end of the blog.\r\nFigure 3: Padding of bytes to inflate the Vidar binary size from 3.3MB to 330MB\r\nAll of the binaries below are related to the same Windows 11 theme campaign:\r\nMD5: 6352540cf679dfec21aff6bd9dee3770\r\nThe Vidar static configuration below contains the embedded parameters needed by the sample to communicate with its C2\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 2 of 12\n\nand information including the malware version:\r\nProfile: 670\r\nProfile ID: 739\r\nVersion: 51.9\r\nURL marker: hello\r\nURL1: https://t.me/btc20220425\r\nReal C2: 195.201.250.209 (Carved out from URL1)\r\nURL2: https://ieji.de/@ronxik213\r\nReal C2: 107.189.11.124 (Carved out from URL2)\r\nThe botnet can be identified by its profile ID. Both of the hardcoded URLs are from social media sites. However, they are\r\nused as a dead drop resolver as a first stage. The URL marker instructs Vidar to parse the second stage URL from the social\r\nmedia profiles located at the dead drop resolver.\r\nThe following is an example Vidar stealer configuration downloaded from the C2:\r\n1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:\r\nThis configuration is the default with every stealing function enabled (passwords, cryptocurrency wallets, two-factor\r\nauthentication, etc)\r\nThe following libraries are downloaded from the C2:\r\nupdate.zip (66cf4ebdceedecd9214caab7ca87908d), which contains the following DLL libraries:\r\nfreebl3.dll (ef2834ac4ee7d6724f255beaf527e635) \r\nmozglue.dll (8f73c08a9660691143661bf7332c3c27)\r\nmsvcp140.dll (109f0f02fd37c84bfc7508d4227d7ed5)\r\nnss3.dll (bfac4e3c5908856ba17d41edcd455a51)\r\nsoftokn3.dll (a2ee53de9167bf0d6c019303b7ca84e5) \r\nsqlite3.dll (e477a96c8f2b18d6b5c27bde49c990bf)  \r\nvcruntime140.dll (7587bf9cb4147022cd5681b015183046)\r\nAll of these libraries are legitimate that Vidar leverages in order to extract credentials and other data from different\r\napplications and browsers.\r\nMD5: da82d43043c101f25633c258f527c9d5\r\nMD5: e9a3562f3851dd2dba27f90b5b2d15c0\r\nVidar static configuration:\r\nProfile: 1281\r\nProfile ID: 755\r\nVersion: 51.9\r\nURL marker: hello\r\nURL1: 5.252.178.50\r\nURL2: https://koyu.space/@ronxik123 \r\nReal C2: 107.189.11.124  (Carved out from URL2)\r\nFor these samples, the URL1 field in the static configuration is a real C2, and a social media profile is used as a backup\r\nURL.\r\nThe Vidar stealer configuration downloaded from this C2 was the following: \r\n1,1,0,1,1,1,1,0,0,1,250,none;\r\nThis configuration is customized to extract social media passwords with all of the other Vidar features disabled.\r\nThe libraries downloaded from the C2 are the same as the previous sample with the same update.zip\r\n(66cf4ebdceedecd9214caab7ca87908d).\r\nDistribution Vector - Adobe Photoshop Theme \r\nThreatLabz also identified an attacker-controlled GitHub repository which hosts backdoored versions of the application\r\nAdobe Photoshop Creative Cloud, which we attribute to the same threat actor. Figure 4 shows the GitHub repository\r\n(https://github.com/AdobeInstal) used by the attacker to host a backdoored version of Adobe Photoshop.\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 3 of 12\n\nFigure 4: Vidar attacker-controlled GitHub repository\r\nTechnical Analysis\r\nThe sample with the MD5 hash below belongs to this Adobe Photoshop theme campaign.\r\nMD5 6ae17cb76cdf097d4dc4fcccfb5abd8a\r\nVidar static configuration:\r\nProfile: 1199\r\nProfile ID: 0\r\nVersion: 51.8\r\nURL marker: hello\r\nURL1: https://t.me/mm20220428\r\nReal C2: 195.201.250.209  (Carved out from URL1)\r\nURL2: https://koyu.space/@ronxik123 \r\nReal C2: 107.189.11.124 (Carved out from URL2)\r\nThe Vidar stealer configuration downloaded from the C2 was the following:\r\n1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:\r\nThe libraries downloaded from the C2 are the same as the previous sample with the same update.zip\r\n(66cf4ebdceedecd9214caab7ca87908d).\r\nSocial media abuse for C2 communication\r\nAll the binaries involved in this campaign fetch the IP addresses of the C2 servers from attacker-registered social media\r\naccounts on the Telegram and Mastodon networks. In the past, the threat actors distributing Vidar have abused other social\r\nmedia networks such as Mastodon. However, the abuse of Telegram is a new tactic that they added to their arsenal.\r\nTelegram abuse\r\nIn these campaigns, the threat actor created several Telegram channels with the C2 IP address in the channel description. The\r\nformat used to store the C2 IP address on social media profiles is the following for this campaign: \r\n|\r\nThe C2_Url_Marker field in these campaigns was hello. The naming convention for the Telegram channels includes a date\r\nthat corresponds to the date when these channels were created. As an example, the channel with the handle btc20220425\r\ncorresponds to a channel created on April 25, 2022, using btc_stacking as the name as shown in Figure 5.\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 4 of 12\n\nFigure 5: Vidar attacker-controlled Telegram channel with the C2 IP address included in the channel description\r\nMastodon network abuse\r\nThe Mastodon network is a decentralized social network which allows anyone to deploy their own instance of a self-hosted\r\nonline community. There are several instances of such online communities on the Internet, which are built using Mastodon.\r\nTwo such instances are ieji[.]de and koyu[.]space. The threat actor created a profile on both of these communities and stored\r\nthe C2 IP address in the profile section using a format similar to the one used for Telegram channels. Figure 6 and Figure 7\r\nshow the profiles created by the threat actor on ieji[.]de and koyu[.]space, respectively.\r\nFigure 6: Vidar attacker-controlled profile on the Mastodon community ieji[.]de with the C2 IP address included in the\r\nchannel description\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 5 of 12\n\nFigure 7: Vidar attacker-controlled profile on Mastodon community koyu[.]space with the C2 IP address included in the\r\nchannel description\r\nConclusion\r\nThe threat actors distributing Vidar malware have demonstrated their ability to social engineer victims into installing Vidar\r\nstealer using themes related to the latest popular software applications. As always, users should be cautious when\r\ndownloading software applications from the Internet and download software only from the official vendor websites. The\r\nZscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe.\r\nZscaler cloud sandbox detection\r\nFigure 8: Zscaler cloud sandbox detection\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels.\r\nWin32.Downloader.Vidar\r\nWin64.Downloader.Vidar\r\nIndicators of compromise\r\nHashes\r\n52c47fdda399b011b163812c46ea94a6\r\nda82d43043c101f25633c258f527c9d5\r\ne9a3562f3851dd2dba27f90b5b2d15c0\r\n6ae17cb76cdf097d4dc4fcccfb5abd8a\r\nDomains\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 6 of 12\n\nms-win11[.]com\r\nms-win11.midlandscancer[.]com\r\nwin11-serv4[.]com\r\nwin11-serv[.]com\r\nwin11install[.]com\r\nms-teams-app[.]net\r\nURLs for fetching C2 addresses\r\nhttps://t.me/btc20220425\r\nhttps://ieji.de/@ronxik213\r\nhttps://koyu.space/@ronxik123\r\nhttps://t.me/mm20220428\r\nURLs for fetching ISO files\r\nfiles.getsnyper[.]com/files/msteams/Setup.iso\r\nfiles.getsnyper[.]com/files/windows11/Setup.iso\r\nfiles.getsnyper[.]com/files/msteamsww/Setup.iso\r\nActual C2s\r\n195.201.250.209\r\n107.189.11.124\r\n5.252.178.50\r\n107.189.11.124\r\nAppendix\r\nDecoded Strings\r\nWallets\r\nPlugins\r\n*wallet*.dat\r\n\\\\Wallets\\\\\r\nkeystore\r\nEthereum\\\r\n\\\\Ethereum\\\\\r\nElectrum\r\n\\\\Electrum\\\\wallets\\\\\r\nElectrumLTC\r\n\\\\Electrum-LTC\\\\wallets\\\\\r\nExodus\r\n\\\\Exodus\\\\\r\nexodus.conf.json\r\nwindow-state.json\r\n\\\\Exodus\\\\exodus.wallet\\\\\r\npassphrase.json\r\nseed.seco\r\ninfo.seco\r\nElectronCash\r\n\\\\ElectronCash\\\\wallets\\\\\r\ndefault_wallet\r\nMultiDoge\r\n\\\\MultiDoge\\\\\r\nmultidoge.wallet\r\nJAXX\r\n\\\\jaxx\\\\Local Storage\\\\\r\nfile__0.localstorage\r\nAtomic\r\n\\\\atomic\\\\Local Storage\\\\leveldb\\\\\r\n000003.log\r\nCURRENT\r\nLOCK\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 7 of 12\n\nLOG\r\nMANIFEST-000001\r\n0000*\r\nBinance\r\n\\\\Binance\\\\\r\napp-store.json\r\nCoinomi\r\n\\\\Coinomi\\\\Coinomi\\\\wallets\\\\\r\n*.wallet\r\n*.config\r\nwallet_path\r\nSOFTWARE\\\\monero-project\\\\monero-core\r\n\\\\Monero\\\\\r\nSELECT fieldname, value FROM moz_formhistory\r\n\\\\files\\\\Soft\r\n\\\\files\\\\Soft\\\\Authy\r\n\\\\Authy Desktop\\\\Local Storage\\\\\r\n\\\\Authy Desktop\\\\Local Storage\\\\*.localstorage\r\n\\\\Opera Stable\\\\Local State\r\nINSERT_KEY_HERE\r\nJohnDoe\r\nHAL9TH\r\napi.faceit.com\r\n/core/v1/nicknames/\r\nabout\r\nMozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0\r\nMobile/10A5376e Safari/8536.25\r\nC:\\\\ProgramData\\\\\r\n.exe\r\n:Zone.Identifier\r\n[ZoneTransfer] ZoneId=2\r\nWindows\r\nProgramData\r\nRECYCLE.BIN\r\nConfig.Msi\r\nSystem Volume Information\r\nmsdownld.tmp\r\nRecovery\r\nLocal\\\\Temp\r\nProgram Files\r\nRecycle.Bin\r\nAll Users\r\nMicrosoftEdge\\\\Cookies\r\nUsers\\\\Public\r\nLocal\\\\Packages\r\nLocal\\\\NuGet\r\nRoaming\\\\WinRAR\r\nLocal\\\\Microsoft\r\nMicrosoft\r\nfee_estimates\r\npeers\r\nmempool\r\nbanlist\r\ngovernance\r\nmncache\r\nmnpayments\r\nnetfulfilled\r\npasswords.txt\r\nLogin Data\r\nCookies\r\nWeb Data\r\n\\\\files\\\\Autofill\r\n\\\\files\\\\Cookies\r\n\\\\files\\\\CC\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 8 of 12\n\n\\\\files\\\\History\r\n\\\\files\\\\Downloads\r\n\\\\files\\\\\r\n\\\\files\\\\Files\r\nhwid\r\nos\r\nplatform\r\nprofile\r\nuser\r\ncccount\r\nfcount\r\ntelegram\r\nver\r\nvaultcli.dll\r\nVaultOpenVault\r\nVaultCloseVault\r\nVaultEnumerateItems\r\nVaultGetItem\r\nVaultFree\r\nSELECT url FROM moz_places\r\n%s\\\\Mozilla\\\\Firefox\\\\profiles.ini\r\n\\\\signons.sqlite\r\nSELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins\r\n\\\\logins.json\r\nformSubmitURL\r\nusernameField\r\nencryptedUsername\r\nencryptedPassword\r\nguid\r\nSELECT host, name, value FROM moz_cookies\r\nSELECT origin_url, username_value, password_value FROM logins\r\nSELECT name, value FROM autofill\r\nSELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards\r\nSELECT target_path, tab_url from downloads\r\nSELECT url, title from urls\r\nSELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from\r\ncookies\r\nC:\\\\Users\\\\\r\n\\\\AppData\\\\Roaming\\\\FileZilla\\\\recentservers.xml\r\nSoft: FileZilla\\n\r\n\\\\AppData\\\\Roaming\\\\.purple\\\\accounts.xml\r\nSoft: Pidgin\\n\r\n\\\\Thunderbird\\\\Profiles\\\\\r\nC:\\\\Program Files (x86)\\\\Mozilla Thunderbird\r\nAPPDATA\r\nLOCALAPPDATA\r\nThunderbird\r\n\\\\files\\\\Telegram\r\n\\\\Telegram Desktop\\\\tdata\\\\*\r\nD877F783D5D3EF8C*\r\n\\\\Telegram Desktop\\\\tdata\\\\\r\nkey_datas\r\n\\\\Telegram Desktop\\\\tdata\\\\D877F783D5D3EF8C\\\\*\r\nmap*\r\n\\\\Telegram Desktop\\\\tdata\\\\D877F783D5D3EF8C\\\\\r\nfirefox.exe\r\nplugin-container.exe\r\nupdate_notifier.exe\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 9 of 12\n\nMozilla Firefox\r\n\\\\Mozilla\\\\Firefox\\\\Profiles\\\\\r\nPale Moon\r\n\\\\Moonchild Productions\\\\Pale Moon\\\\Profiles\\\\\r\nWaterfox\r\n\\\\Waterfox\\\\Profiles\\\\\r\nCyberfox\r\n\\\\8pecxstudios\\\\Cyberfox\\\\Profiles\\\\\r\nBlackHawk\r\n\\\\NETGATE Technologies\\\\BlackHawk\\\\Profiles\\\\\r\nIceCat\r\n\\\\Mozilla\\\\icecat\\\\Profiles\\\\\r\nK-Meleon\r\n\\\\K-Meleon\\\\\r\nGoogle Chrome\r\n\\\\Google\\\\Chrome\\\\User Data\\\\\r\nChromium\r\n\\\\Chromium\\\\User Data\\\\\r\nKometa\r\n\\\\Kometa\\\\User Data\\\\\r\nAmigo\r\n\\\\Amigo\\\\User Data\\\\\r\nTorch\r\n\\\\Torch\\\\User Data\\\\\r\nOrbitum\r\n\\\\Orbitum\\\\User Data\\\\\r\nComodo Dragon\r\n\\\\Comodo\\\\Dragon\\\\User Data\\\\\r\nNichrome\r\n\\\\Nichrome\\\\User Data\\\\\r\nMaxthon5\r\n\\\\Maxthon5\\\\Users\\\\\r\nSputnik\r\n\\\\Sputnik\\\\User Data\\\\\r\nEpic Privacy Browser\r\n\\\\Epic Privacy Browser\\\\User Data\\\\\r\nVivaldi\r\n\\\\Vivaldi\\\\User Data\\\\\r\nCocCoc\r\n\\\\CocCoc\\\\Browser\\\\User Data\\\\\r\nURAN\r\n\\\\uCozMedia\\\\Uran\\\\User Data\\\\\r\nQIP Surf\r\n\\\\QIP Surf\\\\User Data\\\\\r\nCent Browser\r\n\\\\CentBrowser\\\\User Data\\\\\r\nElements Browser\r\n\\\\Elements Browser\\\\User Data\\\\\r\nTorBro Browser\r\n\\\\TorBro\\\\Profile\\\\\r\nSuhba Browser\r\n\\\\Suhba\\\\User Data\\\\\r\nMustang Browser\r\n\\\\Rafotech\\\\Mustang\\\\User Data\\\\\r\nChedot Browser\r\n\\\\Chedot\\\\User Data\\\\\r\nBrave_Old\r\n\\\\brave\\\\\r\n7Star\r\n\\\\7Star\\\\7Star\\\\User Data\\\\\r\nMicrosoft Edge\r\n\\\\Microsoft\\\\Edge\\\\User Data\\\\\r\n360 Browser\r\n\\\\360Browser\\\\Browser\\\\User Data\\\\\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 10 of 12\n\nQQBrowser\r\n\\\\Tencent\\\\QQBrowser\\\\User Data\\\\\r\nOpera\r\n\\\\Opera Software\\\\Opera Stable\\\\\r\nOperaGX\r\n\\\\Opera Software\\\\Opera GX Stable\\\\\r\nLocal State\r\nCookies\r\n%s_%s.txt\r\nTRUE\r\nFALSE\r\n\\\\Microsoft\\\\Windows\\\\Cookies\\\\Low\\\\\r\nCookies\\\\IE_Cookies.txt\r\n\\\\Packages\\\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\\\AC\\\\#!001\\\\MicrosoftEdge\\\\Cookies\\\\\r\nCookies\\\\Edge_Cookies.txt\r\n\\\\files\\\\Wallets\r\n%USERPROFILE%\r\n%DESKTOP%\r\nKERNEL32.DLL\r\nLoadLibraryA\r\nGetProcAddress\r\nVirtualAllocExNuma\r\ngdi32.dll\r\nole32.dll\r\nuser32.dll\r\npsapi.dll\r\nBCRYPT.DLL\r\nBCryptCloseAlgorithmProvider\r\nBCryptDestroyKey\r\nBCryptOpenAlgorithmProvider\r\nBCryptSetProperty\r\nBCryptGenerateSymmetricKey\r\nBCryptDecrypt\r\nCRYPT32.DLL\r\nCryptUnprotectData\r\nCryptStringToBinaryA\r\nC:\\\\ProgramData\\\\nss3.dll\r\nNSS_Init\r\nNSS_Shutdown\r\nPK11_GetInternalKeySlot\r\nPK11_FreeSlot\r\nPK11_Authenticate\r\nPK11SDR_Decrypt\r\nadvapi32.dll\r\nRegOpenKeyExA\r\nRegQueryValueExA\r\nRegCloseKey\r\nRegOpenKeyExW\r\nRegGetValueW\r\nRegEnumKeyExA\r\nRegGetValueA\r\nGetUserNameA\r\nGetCurrentHwProfileA\r\nwininet.dll\r\nInternetCloseHandle\r\nInternetReadFile\r\nHttpSendRequestA\r\nHttpOpenRequestA\r\nInternetConnectA\r\nInternetOpenA\r\nHttpAddRequestHeadersA\r\nHttpQueryInfoA\r\nInternetSetFilePointer\r\nInternetOpenUrlA\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 11 of 12\n\nInternetSetOptionA\r\nDeleteUrlCacheEntry\r\nCreateCompatibleBitmap\r\nSelectObject\r\nBitBlt\r\nDeleteObject\r\nCreateDCA\r\nGetDeviceCaps\r\nCreateCompatibleDC\r\nCoCreateInstance\r\nCoUninitialize\r\nGetDesktopWindow\r\nReleaseDC\r\nGetKeyboardLayoutList\r\nCharToOemA\r\nGetDC\r\nwsprintfA\r\nEnumDisplayDevicesA\r\nGetSystemMetrics\r\nGetModuleFileNameExA\r\nGetModuleBaseNameA\r\nEnumProcessModules\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nhttps://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing" ], "report_names": [ "vidar-distributed-through-backdoored-windows-11-downloads-and-abusing" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434768, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8f81a577cf8b6052fea0ef2d025e8985e87f0261.pdf", "text": "https://archive.orkl.eu/8f81a577cf8b6052fea0ef2d025e8985e87f0261.txt", "img": "https://archive.orkl.eu/8f81a577cf8b6052fea0ef2d025e8985e87f0261.jpg" } }