{
	"id": "e8d6f073-4043-4ced-b66e-282ac7bee911",
	"created_at": "2026-04-06T01:32:11.917047Z",
	"updated_at": "2026-04-10T13:12:40.680596Z",
	"deleted_at": null,
	"sha1_hash": "938ad8d158e2f26c3c745ec6b107a99b63832540",
	"title": "Microsoft Help Files Disguise Vidar Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 220165,
	"plain_text": "Microsoft Help Files Disguise Vidar Malware\r\nBy Nate Nelson\r\nPublished: 2022-03-24 · Archived: 2026-04-06 00:27:42 UTC\r\nAttackers are hiding interesting malware in a boring place, hoping victims won’t bother to look.\r\nWhere’s the last place you’d expect to find malware? In an email from your mother? Embedded in software you\r\ntrust and use everyday (actually, that’s probably the first place you should look)? How about in a technical\r\ndocumentation file?\r\nIn a report published Thursday, Trustwave SpiderLabs revealed a new phishing attack designed to plant the Vidar\r\ninfostealer on target machines. The trick to this particular campaign is that it conceals its complex malware behind\r\na Microsoft Compiled HTML Help (.CHM) file, Microsoft’s proprietary file format for help documentation saved\r\nin HTML. In other words, it’s the kind of file you almost never look at or even think about.\r\nAfter all, what better place to hide something interesting than within something boring? That’s just what\r\ncyberattackers have done in a recent spate of data-stealing attacks: leverage .CHM files in a nested attack that\r\nprioritizes obfuscation.\r\nThe Latest Phish\r\nSome threat actors will dedicate a tremendous amount of effort to diligently crafting a perfect phishing email.\r\nThey copy a well-known brand’s graphics to a tee, and compose a perfect message conveying legitimacy and\r\nprofessionalism, but also urgency.\r\nNot so here. If the attackers in this case spent any more than three minutes crafting their phishing email, it doesn’t\r\nshow.\r\nThe subject line – “Re: Not read: Coverage Inquiry 3.24.16” – goes some way to implying that an ongoing\r\ndiscourse is occurring (“Re”), and that the recipient must take action (“Not read”) – and is otherwise vague\r\nenough to not arouse immediate suspicion. The body of the email does even less:\r\nThe important information for you. See the attachment to the email.\r\nThank You!\r\nSaid attachment appears to the recipient as “request.doc,” but is, in fact, an .ISO file, Trustwave noted in its\r\nanalysis. ISOs are used to copy the information on physical optical discs into a single file. However, as the report\r\nnotes, hackers have learned how to repurpose ISO files as malware containers. According to Trustwave, there was\r\na “notable uptick” in this strategy beginning in 2019. Vidar itself started gaining popularity around the same time.\r\nThe Vidar Malware\r\nhttps://threatpost.com/microsoft-help-files-vidar-malware/179078/\r\nPage 1 of 3\n\nVidar is a kind of jack-of-all-trades infostealer, forked from the Arkei malware family. As Threatpost has\r\nexplained in the past, just after it was first discovered:\r\nVidar steals documents, cookies and browser histories (including from Tor), currency from a wide array of\r\ncryptocurrency wallets, data from two-factor authentication software and text messages, plus it can take\r\nscreenshots. The package also offers malware operators Telegram notifications for important logs. And lastly,\r\nthreat actors can customize the stealer via profiles, which allows them to specify the kind of data they are\r\ninterested in.\r\nIn this latest campaign, the .ISO file contains a .CHM file named “pss10r.chm.” Towards the end of the file’s code\r\nis a snippet of HTML application (HTA) code containing JavaScript  that covertly triggers a second file,\r\n“app.exe.” This is, in fact, Vidar malware.\r\n“One of the objects unpacked from the .CHM is the HTML file\r\n‘PSSXMicrosoftSupportServices_HP05221271.htm’ —  the primary object that gets loaded once the CHM\r\npss10r.chm is opened,” according to the Trustwave writeup. “This HTML has a button object which automatically\r\ntriggers the silent re-execution of the .CHM “pss10r.chm” with mshta.” Mshta is a Windows binary used for\r\nexecuting HTA files.\r\nAs soon as app.exe triggers, Vidar downloads its dependencies and configuration settings from a command-and-control (C2) server, which is retrieved from Mastodon, an open-source social networking platform. The malware\r\nthen searches two hard-coded profiles and nabs the C2 address from the Bio section.\r\nA Mastodon profile containing Vidar’s C2 information. Source: Trustwave.\r\nhttps://threatpost.com/microsoft-help-files-vidar-malware/179078/\r\nPage 2 of 3\n\nThen, Vidar gets to stealing. Any information it sucks up gets sent back to the C2.  Vidar can also download\r\nadditional malware to the target machine. Once the job is done, the malware covers its tracks by deleting all the\r\nfiles it’s created.\r\nThis nested approach and the use of unassuming Help files is all in the name of obfuscation, of course.\r\n“We’ve seen this technique used quite a bit recently,” Karl Sigler, senior security research manager at Trustwave\r\nSpiderLabs, told Threatpost via email, “and the various attempts at nesting the attack (from .ISO to .CHM to .HTA\r\nto JavaScript to execution) shows the lengths that these actors are going to try to obfuscate and hide their attack.”\r\nHe concluded quite simply. “This TTP is really popular right now.”\r\nMoving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your\r\nassets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore\r\norganizations’ top risks and challenges, best practices for defense, and advice for security success in such a\r\ndynamic computing environment, including handy checklists.\r\nSource: https://threatpost.com/microsoft-help-files-vidar-malware/179078/\r\nhttps://threatpost.com/microsoft-help-files-vidar-malware/179078/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/microsoft-help-files-vidar-malware/179078/"
	],
	"report_names": [
		"179078"
	],
	"threat_actors": [],
	"ts_created_at": 1775439131,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/938ad8d158e2f26c3c745ec6b107a99b63832540.pdf",
		"text": "https://archive.orkl.eu/938ad8d158e2f26c3c745ec6b107a99b63832540.txt",
		"img": "https://archive.orkl.eu/938ad8d158e2f26c3c745ec6b107a99b63832540.jpg"
	}
}