{
	"id": "b2392db3-f8b0-4e36-8120-faf963085606",
	"created_at": "2026-04-06T00:17:25.410922Z",
	"updated_at": "2026-04-10T13:12:18.509144Z",
	"deleted_at": null,
	"sha1_hash": "e2529d3dcca0200dcbf3a1939948ce4966ba8b92",
	"title": "Vidar Exploiting Social Media Platform (Mastodon) - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1542229,
	"plain_text": "Vidar Exploiting Social Media Platform (Mastodon) - ASEC\r\nBy ATCP\r\nPublished: 2022-01-20 · Archived: 2026-04-05 19:22:56 UTC\r\nThe ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon\r\nto create C\u0026C server addresses.\r\nhttps://asec.ahnlab.com/en/30875/\r\nPage 1 of 4\n\nMastodon website\r\nVidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a\r\nKMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it\r\nbeing installed through other types of malware such as Stop ransomware. When Vidar is run, it first accesses the\r\nC\u0026C server to receive commands and DLLs that are required to steal information before it can perform its info-stealing activities. In the past, the malware simply connected to C\u0026C server and received commands and\r\nadditional files like other malware. Yet the recent Vidar type exploits various online platforms to actually create\r\nC\u0026C servers.\r\nLast year, it used a game matching platform called FaceIt to do so, which was discussed in one of the ASEC blog\r\nposts.\r\nVidar Info-Stealer Abusing Certain Game Platform\r\nRecent Vidar cases exploit Mastodon, a social media platform. When Vidar is run, it first accesses Mastodon\r\n(noc.social website) before it tries to communicate with the C\u0026C server. To be more specific, it is a profile page of\r\na user named “banda5ker”.\r\nhttps://asec.ahnlab.com/en/30875/\r\nPage 2 of 4\n\nAttacker’s Mastodon profile\r\nThe profile page has the string shown below. It is the actual C\u0026C server address of Vidar.\r\n“hello 162.55.213[.]180|”\r\nThe malware downloads the web page and searches the “hello” string, parsing the C\u0026C address existing between\r\nthe separator “|”.\r\nRoutine for C\u0026C address parsing\r\nIf the attacker edits the profile part and enters another address, the Vidar info-stealer will connect to the changed\r\nC\u0026C server and continue to perform malicious activities. If Mastodon’s attacker account is not blocked, the\r\nattacker can repeatedly edit the C\u0026C server to make the same malware connect to different C\u0026C servers. It is\r\nlikely that the attacker is using the method to bypass network detection for the C\u0026C address.\r\nVidar connects to the actual C\u0026C servers established and receives DLL files needed for commands and info-stealing, and ultimately sends the stolen information to the C\u0026C server. Note that Vidar’s version is v49.6 (see\r\nfigure of data sent below). The version of the Vidar strain which exploited FaceIt was v38.6.\r\nhttps://asec.ahnlab.com/en/30875/\r\nPage 3 of 4\n\nVidar’s network activities of sending stolen information\r\nThe info-stealing features of Vidar are explained in the following post.\r\nAnalysis of Info-Leaking Feature of Info-Stealer Malware Vidar\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:\r\n[File Detection]\r\n– Infostealer/Win.SmokeLoader.R465643 (2022.01.19.01)\r\n[Behavior Detection]\r\n– Malware/MDP.Vidar.M3505\r\nMD5\r\n185cc9e866a23c5cff47d41e8834ffad\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//162[.]55[.]213[.]180/\r\nhttps[:]//noc[.]social/@banda5ker\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/30875/\r\nhttps://asec.ahnlab.com/en/30875/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/30875/"
	],
	"report_names": [
		"30875"
	],
	"threat_actors": [],
	"ts_created_at": 1775434645,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2529d3dcca0200dcbf3a1939948ce4966ba8b92.pdf",
		"text": "https://archive.orkl.eu/e2529d3dcca0200dcbf3a1939948ce4966ba8b92.txt",
		"img": "https://archive.orkl.eu/e2529d3dcca0200dcbf3a1939948ce4966ba8b92.jpg"
	}
}