{
	"id": "1670371e-b062-41de-9786-3097761192b4",
	"created_at": "2026-04-06T00:10:01.350416Z",
	"updated_at": "2026-04-10T13:12:44.730616Z",
	"deleted_at": null,
	"sha1_hash": "aef3a8068bae13c3696852aa42bf3e509a4b8b66",
	"title": "Vidar stealer campaign targeting Baltic region and NATO entities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1935480,
	"plain_text": "Vidar stealer campaign targeting Baltic region and NATO entities\r\nArchived: 2026-04-05 21:17:25 UTC\r\nWhile working on our automatic configuration extractors, we came across a rather strange-looking Vidar sample.\r\nThe decrypted strings included domain names of such organizations as the NATO Strategic Communications\r\nCentre of Excellence, Border Guard of Poland, Estonia and Latvia, and Ministry of the Interior of Lithuania.\r\nAutomatically extracted strings from a Vidar sample\r\nList of targeted hostnames:\r\nccdcoe.ee\r\nccdcoe.org\r\nstratcomcoe.org\r\nenseccoe.org\r\nsab.gov.lv\r\nmidd.gov.lv\r\ndp.gov.lv\r\nrs.gov.lv\r\nvp.gov.lv\r\nmod.gov.lv\r\ncert.lv\r\nmil.lv\r\ngov.lt\r\nmil.lt\r\nhttps://cert.pl/en/posts/2021/10/vidar-campaign/\r\nPage 1 of 9\n\nvsd.lt\r\nvrm.lt\r\nstt.lt\r\nkapo.ee\r\npolitsei.ee\r\naw.gov.pl\r\nabw.gov.pl\r\nstrazgraniczna.pl\r\nbbn.gov.pl\r\nsww.gov.pl\r\nmon.gov.pl\r\nskw.gov.pl\r\ncert.pl\r\nDuring this analyiss we'll be looking at sample\r\nb115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1 .\r\nVidar Stealer, as the name suggests, is a malware family that is designed to steal and exfiltrate user information.\r\nThis includes data such as credentials, cryptocurrency wallets and browser cookies.\r\nIt's widely believed that the family evolved from Arkei Stealer - another infostealer with similar capabilities.\r\nThere is an excellent blogpost1 by @fumik0_ describing the similarities and differences.\r\nWhile previous versions of the malware used to have C\u0026C server address hardcoded directly in the sample, these\r\ndays, it uses a bit more novel approach where the address is fetched from a social media platform like FACEIT or\r\nMastodon.\r\nString decryption and usage\r\nLet's see how the strings in question were extracted and what are the semantics behind their usage.\r\nThe encryption is pretty straightforward. Each blob is produced by xoring two static strings located in the\r\n.rdata section.\r\nhttps://cert.pl/en/posts/2021/10/vidar-campaign/\r\nPage 2 of 9\n\nXor string decryption\r\nThe decoded strings are then used in a subsequent section of the binary, where they are compared with hostnames\r\nof stolen credentials.\r\nIteration over stolen credentials\r\nIf at least one domain is matched, a global flag is incremented.\r\nhttps://cert.pl/en/posts/2021/10/vidar-campaign/\r\nPage 3 of 9\n\nHostname needle search\r\nWhat's unusual about these Vidar samples is the use of a second C\u0026C server responsible for handling credentials\r\nused when the global flag is set.\r\nAlternative C\u0026C server lookup\r\nFor the Vidar version analyzed, the C\u0026C address is not stored directly in the sample but fetched from a specific\r\nuser profile on the Mastodon platform.\r\nhttps://cert.pl/en/posts/2021/10/vidar-campaign/\r\nPage 4 of 9\n\nIn this specific sample, the default profile is @oleg98 , and for reporting credentials from hosts of interest,\r\n@artemida is used.\r\nMastadon artemida profile - pointing to 167.86.127.231\r\nMastadon oleg98 profile - pointing to 65.108.80.190\r\nCampaign background\r\nhttps://cert.pl/en/posts/2021/10/vidar-campaign/\r\nPage 5 of 9\n\nUnfortunately, we don't have much information on how the campaign was delivered and which entities were\r\ntargeted directly. What is interesting, though, is that the actor used several other malware families.\r\nLet's take a look at source samples in MWDB. We'll use mwdblib to quickly find the files that were extracted into\r\nthe config in question.\r\nmwdb search files 'child:(child:(config.dhash:abed3750173760a9bcc5f6d78ccdd3557ce27135c8c5e6e593a9a7387e738c4e)\r\nAll matched samples and accompanying tags:\r\n'77737d30b68a8fa75847570bfaa2c718875c532de61d7a5643504a1ac892a330', ['feed:malwarebazaar', 'ripped:raccoon', 'r\r\n'9405f9084c8ec3eff442b83c20928fceb3e6372d504381b0527a7512a9889231', ['feed:malwarebazaar', 'feed:urlhaus', 'ripp\r\n'062c573497b73b4feaa77a78c2c76f6b095e51de635ac936e034f72afa081ecf', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'c8aa42e07176d24c933d1e2bc4f0052b2973f98fc6e395d90f09e07dbf7c0585', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'736b919068232acf7aae67e3ca5e915c89faade4110b31ff75c249ade1991ef6', ['et:smokeloader', 'feed:malwarebazaar', 'fe\r\n'ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0', ['et:raccoon_stealer', 'et:redline', 'feed:m\r\n'dbc78e2174ea6ef2807de19d0c1c60d0d027ce3d83a001d0d1bb603afad2f961', ['et:avecaesar', 'et:raccoon_stealer', 'et:r\r\n'106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4', ['et:raccoon_stealer', 'et:redline', 'feed:u\r\n'd7480662bc7ee6dc38227ea381978553b1774774e4a0a70ea3bf6aebbca48622', ['et:bitrat', 'et:redline', 'feed:malwarebaz\r\n'4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'c95d04ae659ff27da971c970ec072ffbec37551120fe8c395d5455fba4139d0d', ['et:smokeloader', 'feed:malwarebazaar', 'ri\r\n'6aae67d87cd2ef23c4b9265c8e83db5142f00154e66e47b1e54219cea794682b', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'43b31ea75f3c0666523aefc13e216a651e8e93feaeff1165cb35ed374365cdd6', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'd7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b', ['feed:malwarebazaar', 'ripped:redlinesteale\r\nhttps://cert.pl/en/posts/2021/10/vidar-campaign/\r\nPage 6 of 9\n\n'6c2ad98af84288aff6f49ae92f9f71befbfaa4ac35d1a05b1441f1ce15124ee0', ['feed:malwarebazaar', 'ripped:raccoon', 'ri\r\n'3276f5cb5545e19704b1ef2897c17d721d6e156323f48f19275997d3cc62d005', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'ee6cb977e78651d7b9a3fd412a40f6e2cd1501f05b04c49e744db35c83181132', ['et:raccoon_stealer', 'et:redline', 'feed:m\r\n'22dbf29f7b7ee63da9418ab462b83e242823b83af7d697e7cf34796febc4d884', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'149d9555994e5930d863674a2c55d295d5a19446bed86ef1079ccbbbdae9975f', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297', ['et:raccoon_stealer', 'et:redline', 'feed:m\r\n'7a5444f5316764d3960132052abe097784a29b7390e0ece10c86b804c125100f', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'9fefd930a1cc7b257fe5a65bc3eda3167bc0f82895f288fc34eaca3411b2688b', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'611796a36903059a2d1725d7849a375b9aa2902254c0d5f5fa2122e83570ea3a', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'7ec5f24e6f59719e6c071ec719dcfcbe8e48f5293f493b903f19446c1815048b', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'518e682b4f0226db5e1abb7b62a32a2f46db719b6c407317273cbef56c811657', ['feed:urlhaus', 'ripped:vidar', 'runnable:w\r\n'bf4d1dcd4b9129f47ec4239fa5a33e00c981e5fac5b8be880b76d2a1f5753c34', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'd9b6823ca8e13b78c269c5d21e948dbab625ea87d3370d163eeabeb3822aef56', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'8a2abfa467352b278a1233aead9dffbb23a6d17bd50fe22e275ca92a1911c23c', ['feed:urlhaus', 'ripped:vidar', 'runnable:w\r\n'1fbbaa6cfa20d6e11a3e5e4ba0702f608d474cbf5a86eef891fb57a671c684be', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'2692f4594cebfa3afca882274dc1432fea1ccbc7d3f37db3e15059722db1d97b', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\n'9cffbade290f88c34b8a5e2e551fd9ae035eeda9d49d0eb0fecec8e40ecf2e84', ['feed:malwarebazaar', 'ripped:vidar', 'runn\r\nWe can see that besides Vidar, MWDB was also able to detect and extract configurations from the following\r\nmalware families:\r\nRaccoon\r\nRedLine Stealer\r\nSmokeLoader\r\nSTOP ransomware\r\nAll of the recognized samples were uploaded as a part of the URLhaus2, and MalwareBazaar3 feeds, both\r\ndeveloped by abuse.ch.\r\nIndicators of Compromise\r\nC\u0026C profile proxies\r\nhxxps://mas.to/@sslam\r\nhxxps://mas.to/@serg4325\r\nhxxps://mas.to/@xeroxxx\r\nhxxps://mas.to/@oleg98\r\nhxxps://mas.to/@artemida\r\nC\u0026C servers\r\n65.108.80[.]190\r\n167.86.127[.]231\r\nhttps://cert.pl/en/posts/2021/10/vidar-campaign/\r\nPage 7 of 9\n\nSamples\r\n16c3f8999141beee55afdb49670b9e44b4916816faeb643639a7ace81c13806a\r\n1d4ecd52ab85b7f5229f00ee10d438286e361d4c304000abca8b3dcbe1d7c720\r\n77737d30b68a8fa75847570bfaa2c718875c532de61d7a5643504a1ac892a330\r\n9405f9084c8ec3eff442b83c20928fceb3e6372d504381b0527a7512a9889231\r\n062c573497b73b4feaa77a78c2c76f6b095e51de635ac936e034f72afa081ecf\r\nc8aa42e07176d24c933d1e2bc4f0052b2973f98fc6e395d90f09e07dbf7c0585\r\n736b919068232acf7aae67e3ca5e915c89faade4110b31ff75c249ade1991ef6\r\nebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0\r\ndbc78e2174ea6ef2807de19d0c1c60d0d027ce3d83a001d0d1bb603afad2f961\r\n106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4\r\nd7480662bc7ee6dc38227ea381978553b1774774e4a0a70ea3bf6aebbca48622\r\n4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9\r\n4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2\r\nc95d04ae659ff27da971c970ec072ffbec37551120fe8c395d5455fba4139d0d\r\n6aae67d87cd2ef23c4b9265c8e83db5142f00154e66e47b1e54219cea794682b\r\naad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11\r\n43b31ea75f3c0666523aefc13e216a651e8e93feaeff1165cb35ed374365cdd6\r\nd7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a\r\n995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b\r\n6c2ad98af84288aff6f49ae92f9f71befbfaa4ac35d1a05b1441f1ce15124ee0\r\n3276f5cb5545e19704b1ef2897c17d721d6e156323f48f19275997d3cc62d005\r\nee6cb977e78651d7b9a3fd412a40f6e2cd1501f05b04c49e744db35c83181132\r\n22dbf29f7b7ee63da9418ab462b83e242823b83af7d697e7cf34796febc4d884\r\n149d9555994e5930d863674a2c55d295d5a19446bed86ef1079ccbbbdae9975f\r\n90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297\r\n7a5444f5316764d3960132052abe097784a29b7390e0ece10c86b804c125100f\r\n98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf\r\n9fefd930a1cc7b257fe5a65bc3eda3167bc0f82895f288fc34eaca3411b2688b\r\n11a83b7f651c007cef7ca9490fc560dbfda8cd6b538199e277047c8087c7cee0\r\n611796a36903059a2d1725d7849a375b9aa2902254c0d5f5fa2122e83570ea3a\r\n7ec5f24e6f59719e6c071ec719dcfcbe8e48f5293f493b903f19446c1815048b\r\n518e682b4f0226db5e1abb7b62a32a2f46db719b6c407317273cbef56c811657\r\nbf4d1dcd4b9129f47ec4239fa5a33e00c981e5fac5b8be880b76d2a1f5753c34\r\nd9b6823ca8e13b78c269c5d21e948dbab625ea87d3370d163eeabeb3822aef56\r\n8a2abfa467352b278a1233aead9dffbb23a6d17bd50fe22e275ca92a1911c23c\r\n1fbbaa6cfa20d6e11a3e5e4ba0702f608d474cbf5a86eef891fb57a671c684be\r\n2692f4594cebfa3afca882274dc1432fea1ccbc7d3f37db3e15059722db1d97b\r\n9cffbade290f88c34b8a5e2e551fd9ae035eeda9d49d0eb0fecec8e40ecf2e84\r\n446d53cdc62a86025835e93938afeb9c1b24f28f2bade4980c01ac517b76c760\r\nReferences\r\n1. https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/ ↩\r\nhttps://cert.pl/en/posts/2021/10/vidar-campaign/\r\nPage 8 of 9\n\n2. https://urlhaus.abuse.ch/ ↩\r\n3. https://bazaar.abuse.ch/ ↩\r\nSource: https://cert.pl/en/posts/2021/10/vidar-campaign/\r\nhttps://cert.pl/en/posts/2021/10/vidar-campaign/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cert.pl/en/posts/2021/10/vidar-campaign/"
	],
	"report_names": [
		"vidar-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434201,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aef3a8068bae13c3696852aa42bf3e509a4b8b66.pdf",
		"text": "https://archive.orkl.eu/aef3a8068bae13c3696852aa42bf3e509a4b8b66.txt",
		"img": "https://archive.orkl.eu/aef3a8068bae13c3696852aa42bf3e509a4b8b66.jpg"
	}
}