{
	"id": "835bd022-19df-4bb6-ab0b-019f7b73898b",
	"created_at": "2026-04-06T00:18:31.286028Z",
	"updated_at": "2026-04-10T03:22:05.345044Z",
	"deleted_at": null,
	"sha1_hash": "9dd54f089ac1a8dc94d7f41a5dbdba172ed4fbc3",
	"title": "Vidar and GandCrab: stealer and ransomware combo observed in the wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 932437,
	"plain_text": "Vidar and GandCrab: stealer and ransomware combo observed in\r\nthe wild\r\nBy Jérôme Segura\r\nPublished: 2019-01-03 · Archived: 2026-04-05 22:51:32 UTC\r\nWe have been tracking a prolific malvertising campaign for several weeks and captured a variety of payloads,\r\nincluding several stealers. One that we initially identified as Arkei turned out to be Vidar, a new piece of malware\r\nrecently analyzed in detail by Fumik0_ in his post: Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis).\r\nIn Norse Mythology, Víðarr is a god and son of Odin, whose death it is foretold he will avenge. Being referred to\r\nas “The Silent One” seems to be fitting for this stealer that can loot from browser histories (including Tor\r\nBrowser) and cryptocurrency wallets, capture instant messages, and much more.\r\nWe witnessed a threat actor using the Fallout exploit kit to distribute Vidar. But victims won’t notice that as much,\r\nas the secondary and noisier payload being pushed is GandCrab ransomware.\r\nOverview\r\nA malvertising chain leads us to the Fallout exploit kit followed by what we thought was an Arkei stealer. Upon\r\ncloser look, while the sample did share a lot of similarities with Arkei (including network events), it was actually a\r\nnewer and, at the time, not yet publicly described piece of malware now identified as Vidar.\r\nBeyond Vidar’s stealer capabilities, we also noticed a secondary payload that was retrieved from Vidar’s own\r\ncommand and control (C2) server. The infection timeline showed that victims were first infected with Vidar,\r\nwhich tried to extract confidential information, before eventually being compromised with the GandCrab\r\nransomware.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/\r\nPage 1 of 6\n\nMalvertising and Fallout exploit kit\r\nTorrent and streaming video sites drive a lot of traffic, and their advertising is often aggressive and poorly-regulated. A malicious actor using a rogue advertising domain is redirecting these site visitors according to their\r\ngeolocation and provenance to at least two different exploit kits (Fallout EK and GrandSoft EK), although the\r\nformer is the most active.\r\nStealers such as AZORult seem to be the a favorite payload here, but we also noticed that Arkei/Vidar was quite\r\ncommon. In this particular instance, we saw Vidar being pushed via the Fallout exploit kit.\r\nVidar\r\nIt should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups\r\nthrough different campaigns.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/\r\nPage 2 of 6\n\nVidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they\r\nare interested in. Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also\r\nscrape an impressive selection of digital wallets.\r\nUpon execution on the system, Vidar will search for any data specified in its profile configuration and\r\nimmediately send it back to the C2 server via an unencrypted HTTP POST request.\r\nThis includes high level system details (specs, running processes, and installed applications) and stats about the\r\nvictim (IP address, country, city, and ISP) stored in a file called information.txt. This file is packaged along with\r\nother stolen data and zipped before being sent back to the C2 server.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/\r\nPage 3 of 6\n\nGandCrab as a loader\r\nVidar also offers to download additional malware via its command and control server. This is\r\nknown as the loader feature, and again, it can be configured within Vidar’s administration panel by\r\nadding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will\r\ndownload an additional payload. In that case, the server will send back a response of\r\nHTTP/1.1 200 OK Date: Content-Type: text/html; charset=UTF-8 Connection: keep-alive Server: Pro-Managed\r\nContent-Length: 51″\u003e\r\nhttp://ovz1.fl1nt1kk.10301.vps.myjino[.]ru/topup.exe; Within about a minute after the initial Vidar infection, the\r\nvictim’s files will be encrypted and their wallpaper hijacked to display the note for GandCrab version 5.04.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/\r\nPage 4 of 6\n\nRansomware as a last payload\r\nWhile ransomware experienced a slowdown in 2018, it is still one of the more dangerous threats. In contrast to\r\nmany other types of malware, ransomware is instantly visible and requires a call to action, whether victims decide\r\nto pay the ransom or not.\r\nHowever, threat actors can use ransomware for a variety of reasons within their playbook. It could be, for\r\ninstance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost\r\ndata. But as we see here, it can be coupled with other threats and used as a last payload when other resources have\r\nalready been exhausted.\r\nAs a result, victims get a double whammy. Not only are they robbed of their financial and personal information,\r\nbut they are also being extorted to recover the now encrypted data.\r\nMalwarebytes users are protected against this threat at multiple levels. Our signatureless anti-exploit engine\r\nmitigates the Internet Explorer and Flash Player exploits delivered by the Fallout exploit kit. We detect the\r\ndropped stealer as Spyware.Vidar and also thwart GandCrab via our anti-ransomware module.\r\nAcknowledgements\r\nMany thanks to Fumik0_ and @siri_urz for their inputs and Vidar payload identification.\r\nIndicators of Compromise (IOCs)\r\nVidar binary\r\nE99DAF10E6CB98E93F82DBE344E6D6B483B9073E80B128C163034F68DE63BE33\r\nVidar C2\r\nkolobkoproms[.]ug\r\nLoader URL (GandCrab)\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/\r\nPage 5 of 6\n\novz1.fl1nt1kk.10301.vps.myjino[.]ru/topup.exe\r\nGandCrab binary\r\nABF3FDB17799F468E850D823F845647738B6674451383156473F1742FFBD61EC\r\nSource: https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/"
	],
	"report_names": [
		"vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild"
	],
	"threat_actors": [],
	"ts_created_at": 1775434711,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9dd54f089ac1a8dc94d7f41a5dbdba172ed4fbc3.pdf",
		"text": "https://archive.orkl.eu/9dd54f089ac1a8dc94d7f41a5dbdba172ed4fbc3.txt",
		"img": "https://archive.orkl.eu/9dd54f089ac1a8dc94d7f41a5dbdba172ed4fbc3.jpg"
	}
}