Vidar Infostealer in Action © COPYRIGHT 2015-2025 ARYAKA NETWORKS, INC. ALL RIGHTS RESERVED. Aryaka Threat Research Lab Vidar Infostealer in Action From API Hooking to Covert Data Exfiltration Bikash Dash and Varadharajan Krishnasamy www.aryaka.com Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 2 Table of Contents 03 03 03 04 04 06 06 06 07 08 11 12 13 15 15 16 16 16 Introduction Distribution: Social Engineering at Its Core Evolution: From Arkei Origins to a Prolific Infostealers Overview Technical Details Defense Evasion Techniques AMSI Bypass Defender Exclusion Payload Execution & Persistence CryptProtectMemory API Hijacking for Credential Theft Dead Drop Resolver Technique Collection Exfiltration Conclusion How Unified SASE as a Service Helps Disrupt Vidar Infostealer Appendices Appendix A: Indicators of Compromise Appendix B: Mapping MITRE ATT&CK® Matrix Aryaka Threat Research Labs analyzed a variant of Vidar, a notorious infostealer operating under the Malware-as-a-Service (MaaS) model. First observed in late 2018, Vidar has continually adapted to remain effective in the modern threat landscape. This strain exhibits heightened stealth and persistence through encrypted command-and-control (C2) channels, abuse of Living-off-the-Land Binaries (LOLBins), and covert exfiltration methods. Primarily targeting Windows environments, Vidar conducts highly targeted data theft, harvesting an extensive range of sensitive assets. These include operating system details; browser credentials, cookies, history, autofill data, and saved credit cards; cryptocurrency wallet files; two-factor authentication (2FA) app data; credentials from email, FTP applications; authentication tokens from messaging and gaming platforms such as Telegram, Discord, and Steam; document and backup files across the victim’s profile; and screenshots. Collected data is packaged, compressed, and exfiltrated to the attacker’s C2 infrastructure for further exploitation or sale on underground markets. Introduction Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 3 Vidar’s delivery mechanisms are deeply rooted in social engineering, relying on deception to trick users into executing its payload. These campaigns are carefully crafted to blend seamlessly into everyday digital interactions, increasing the likelihood of infection. The standard distribution methods include phishing emails containing malicious attachments or links that silently download the Vidar binary, drive-by downloads from compromised or malicious websites that exploit browser vulnerabilities or display convincing fake prompts, and malvertising campaigns in which fraudulent advertisements—disguised as legitimate software installers or updates—redirect victims to malicious payloads. This multi-pronged strategy enables Vidar to reach a broad audience while frequently bypassing basic defenses by exploiting user trust and closely mimicking legitimate content. Distribution: Social Engineering at Its Core Since its emergence, Vidar has significantly evolved from its roots in the Arkei malware family. While it initially shared similarities, Vidar quickly branched into a standalone, more potent infostealer with modular architecture and enhanced data harvesting capabilities. Its versatility, ease of deployment, and support for plugin-like modules have made Vidar highly attractive on underground forums. Distributed via the MaaS model, it enables even low-skilled threat actors to launch customized campaigns with minimal effort. As a result, Vidar has seen widespread adoption in financially motivated cybercrime. Evolution: From Arkei Origins to a Prolific Infostealers https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-vidar-malware/ https://www.hhs.gov/sites/default/files/vidar-malware-analyst-note-tlpclear.pdf https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing https://blackpointcyber.com/threat-profile/vidar-stealer-malware-apg/ https://asec.ahnlab.com/en/44554/ https://blackpointcyber.com/threat-profile/vidar-stealer-malware-apg/ https://www.kroll.com/en/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html?utm_source=chatgpt.com Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 4 Figure 1: Malicious PowerShell Script Vidar Stealer is a sophisticated information-stealing malware that employs a multi-stage infection chain, defense evasion tactics, and advanced data exfiltration methods. The attack begins with a PowerShell script that downloads two payloads from a remote server, using stealth techniques such as GUID-based hidden directories, randomized filenames, User-Agent spoofing, and retry logic with exponential backoff. The script disables AMSI, adds Microsoft Defender exclusions, and sets persistence via scheduled tasks. The primary Vidar payload injects into trusted processes like msbuild.exe to execute malicious activities, including credential theft and C2 communication. It hijacks the CryptProtectMemory API to intercept sensitive browser data before encryption, forwarding stolen data via a named pipe. Vidar retrieves its C2 addresses dynamically through a dead drop resolver mechanism, using Telegram and Steam profiles to hide infrastructure details. Stolen information is exfiltrated via TLS-encrypted POST requests with Base64-encoded payloads to evade detection. Vidar’s layered approach—combining stealthy delivery, process injection, API hooking, and encrypted communications—makes it a persistent and hard-to-detect threat. Overview The Vidar infection chain begins with a PowerShell script that connects to wslm.net to retrieve two components: hxxp://wslm.net/crypted.exe, the main Vidar binary, and hxxp://wslm.net/code, a secondary PowerShell loader. The script incorporates retry logic with five attempts and a five-second delay between each request. This staged loader approach enables dynamic payload delivery, enhancing stealth and evasion against basic detection mechanisms. Figure 1 shows the command-line parameters of the PowerShell script. Technical Details Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 5 To retrieve its payloads stealthily, the script employs a custom Download-Reliable() PowerShell function (Figure 2) that integrates multiple evasion techniques. The malware blends stealth with persistence by disguising its traffic as “PowerShell” to appear legitimate while using exponential backoff with jitter to make repeated connections less noticeable. Errors during communication are quietly suppressed, reducing logs and avoiding attention from defenders. To guarantee reliability, it persistently retries downloads several times even in unstable environments. At the same time, it randomizes directories and filenames, ensuring each instance looks different and making signature-based detection more difficult. As part of its obfuscation, the script generates two random GUIDs via [guid]:: NewGuid().ToString('N'). The first GUID is used to create a hidden directory in %LOCALAPPDATA%, where the primary payload (.exe) is stored. The second GUID names a secondary PowerShell script (.ps1) saved in %APPDATA%. The directory is explicitly marked as hidden using PowerShell’s Set-ItemProperty. Figure 2: Download Reliable Function Figure 3: Random GUID file and Directory creation Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 6 After retrieving the payload, the PowerShell script focuses on bypassing Windows’ built-in defenses through two primary techniques: disabling AMSI to prevent script content inspection, and adding Windows Defender exclusions to avoid real-time scanning. These measures ensure that the malicious code can execute without interference from native security mechanisms. Defense Evasion Techniques The malware contains a PowerShell function named Disable-Amsi (Figure 4), designed to circumvent the Antimalware Scan Interface (AMSI), a core Windows feature that allows antivirus engines to scan scripts before execution. Using reflection, it accesses the internal AmsiUtils class and sets the amsiInitFailed field to true, effectively disabling AMSI checks and allowing malicious PowerShell code to run undetected. AMSI Bypass To extend persistence and evade real-time scanning, the script invokes the Add-MpPreference cmdlet to exclude both the downloaded Vidar binary (.exe stored in %LOCALAPPDATA%) and the secondary PowerShell loader (.ps1 stored in %APPDATA%) from Microsoft Defender scans. By placing these files in excluded, hidden directories, the malware ensures they remain invisible to active antivirus analysis. Implementing these exclusions early in execution significantly enhances Vidar’s stealth and survivability, allowing later stages—such as credential theft, C2 communications, and data exfiltration—to proceed with a lower risk of detection. Figure 5 shows the Microsoft Defender exclusion configuration. Defender Exclusion Figure 4: AMSI Bypass Figure 5: Windows Defender Exclusion Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 7 The PowerShell script follows a series of stealth-oriented steps to maintain persistence and evade detection. After downloading its components, it attempts to launch the dropped executable with elevated privileges. If elevation is denied, it silently executes the payload in the background using the Start-Process cmdlet. Both the .exe and .ps1 files are marked as hidden and excluded from Microsoft Defender scans via the Add-MpPreference cmdlet. To evade sandbox-based detection, the script introduces a randomized delay of 10 to 30 seconds using Start-Sleep, decreasing the likelihood of being flagged in automated analysis environments that monitor only brief execution periods. For persistence, it creates a scheduled task configured to execute the PowerShell script at user logon with a hidden window and a bypassed execution policy. This ensures the malware is automatically executed after each reboot while remaining concealed from the user. When the executable is launched, it injects its malicious code into msbuild.exe, a trusted Windows process often abused to evade detection. The injected code is responsible for executing all subsequent malicious activities associated with the Vidar stealer. As part of its execution chain, the code running inside msbuild.exe launches a PowerShell command containing a Base64-encoded payload. Once decoded, the PowerShell script reveals functionality for in-memory process injection. It achieves this by dynamically compiling a C# helper class in memory using the Add-Type cmdlet. The compiled C# class utilizes Windows API calls — including OpenProcess(), VirtualAllocEx(), WriteProcessMemory(), and CreateRemoteThread() — to inject a second-stage payload into a designated target process, enabling stealthy execution without writing the payload to disk, as shown in Figure 7. Payload Execution & Persistence Figure 6: Payload Execution and Persistence Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 8 The malware in this case is hooking the CryptProtectMemory API so that it can intercept and steal sensitive data whenever a legitimate program, like a web browser, tries to encrypt it. Many modern browsers (like Chrome or Edge) use CryptProtectMemory to protect passwords, cookies, and authentication tokens stored in memory. By hijacking this function, the malware silently inserts its malicious code. So, when the browser calls CryptProtectMemory to encrypt sensitive data, the malware's hook gets triggered first. Instead of just letting the encryption happen, it copies the raw, unencrypted data and secretly sends it through a named pipe to another part of the malware. This trick allows the malware to steal passwords and session tokens from the browser without needing to break any encryption because it grabs the data before it gets encrypted. This approach is stealthy, efficient, and very hard to detect. CryptProtectMemory API Hijacking for Credential Theft Figure 7: De-obfuscated PowerShell As observed in the PowerShell script, the injection targets a remote process with PID 9576, which in this case corresponds to msedge.exe. After establishing access to the target process, the script loads a secondary payload that had previously been dropped in the %TEMP% directory under the name tmp7E4B.tmp. This secondary payload consists of shellcode designed to load an embedded DLL directly into memory. Once executed, the DLL patches the legitimate function, replacing it with a custom malicious implementation. By doing so, the malware can intercept cryptographic operations, enabling it to extract sensitive information without triggering standard security controls. Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 9 First, the malware dynamically loads the crypt32.dll library and resolves the address of CryptProtectMemory() using LoadLibraryA() and GetProcAddress(). As shown in Figure 8, once the address of the target function is resolved, the malware copies the first 14 bytes of the function’s prologue. These original bytes are stored temporarily so they can be restored later if needed. The following steps are performed by the malware to hook CryptProtectMemory(): The memory protection of the function is then changed using VirtualProtect() to allow write access, enabling the upcoming overwrite of the function prologue. It then overwrites the prologue bytes with a custom inline hook. This hook replaces the beginning of the function with a small jump stub that redirects execution to attacker-controlled code, as illustrated in Figure 9. Figure 8: Extraction of function prologue bytes from CryptProtectMemory Figure 9: Trampoline Hook Implementation Figure 10: NamedPipe IPC Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 10 The redirection is implemented using a 64-bit trampoline. It starts with the opcode 0xB848 (mov rax, imm64), followed by the absolute address of the malware hook routine sub_180001000. This address is split into individual bytes using bitwise right-shift operations and written sequentially into memory. The stub concludes with the instruction sequence 0xFFE09090(-1869553409), which corresponds to jmp rax followed by NOP padding, commonly used to maintain instruction alignment before overwriting the original function. The DLL invokes the VirtualProtect function to set the memory protection of the target region to PAGE_EXECUTE_READWRITE, allowing the modification. When control is transferred to the malicious function sub_180001000, it intercepts the sensitive data passed to CryptProtectMemory(). Since browsers often use this API to encrypt sensitive information (like credentials or cookies), the malicious function gains access to that data before it's encrypted. It then creates a named pipe (\\.\pipe\test), establishes a connection, and transmits the captured data through the pipe to a listening component, as shown in Figure 10.. Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 11 After transmitting the captured data, the hook logic restores the original function prologue. It first uses VirtualProtect() to change the memory protection of the target function, allowing it to overwrite the previously hooked bytes. Then, it copies back the original 14-byte prologue, effectively removing the hook, and finally resets the memory protection to its original state. Figure 11: Restoring Trampoline to Original State Figure 12: Active Telegram Channel Used as Dead Drop Resolver Vidar Stealer retrieves its C2 server details using a dead drop resolver mechanism. Instead of hardcoding the C2 addresses directly in the binary, the malware fetches them from seemingly benign sources such as Steam and Telegram profiles, as shown in Figure 12. Dead Drop Resolver Technique Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 12 Figure 13: Live Steam profile Figure 14: Vidar Targeting Cryptocurrency wallets Figure 15: Browser Local State File Access The Vidar targets sensitive data from infected machines. It steals browser passwords, cookies, and autofill data, as well as credentials from FTP and email applications. The malware also extracts cryptocurrency wallet files and authentication tokens from messaging and gaming platforms. Additionally, it searches for documents and sensitive files on the system and captures screenshots. Figure 14 below shows that the malicious process msbuild.exe is attempting to enumerate directories related to cryptocurrency wallets such as Bitcoin, Electrum, Blockstream, etc. It is also observed that this malicious process is attempting to access the “Local State” files of various Chromium-based browsers such as Brave, CocCoc, Vivaldi, Cent Browser, Microsoft Edge, and Chrome, which store sensitive metadata, including encryption keys. Collection Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 13 Figure 16: Harvesting Browser Sensitive Information Figure 17: Exfiltration over C2 Figure 16 shows that Vidar Stealer harvests sensitive data from Chromium-based browsers such as Chrome, Edge, Opera, and Brave. It targets stored artifacts like cookies, credentials, browsing history, and encryption keys. After collecting data from the victim’s machine, Vidar Stealer exfiltrates the stolen information to its C&C server over a TLS-encrypted connection to evade detection. The network communication typically uses multipart/form-data POST requests, embedding Base64-encoded filenames, randomized boundary strings, along with the file data as shown in Figure 17. Exfiltration Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 14 The figure below shows the Base64-decoded contents of the MicrosoftEdge_Default_passwords.db file, de-obfuscated using CyberChef. This file was exfiltrated by the Vidar stealer and contains stored browser credentials. Figure 18: Decoded Microsoft Edge Database file Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 15 The Vidar Stealer campaign demonstrates a highly evolved and modular approach to credential theft and data exfiltration. Its use of staged payload delivery, AMSI bypass, Defender exclusions, process injection, API hooking, and encrypted exfiltration channels highlights its ability to evade both signature-based and behavioral defenses. By dynamically retrieving C2 infrastructure and targeting a broad range of sensitive artifacts—from browser credentials to cryptocurrency wallets—Vidar poses a significant risk to both individual users and enterprise environments. Effective mitigation requires a layered defense strategy, including strict PowerShell execution policies, enhanced process monitoring, network anomaly detection, and timely threat intelligence updates. Conclusion In a Unified SASE deployment, multiple layers work together to disrupt Vidar’s operations from the outset. DNS filtering blocks access to known malicious domains before the malware can download payloads or resolve its C2 locations. The Secure Web Gateway (SWG) inspects all outbound HTTP(S) traffic, identifying and stopping suspicious POST requests to untrusted endpoints. At the same time, the next-generation firewall (NGFW) applies application-aware policies to prevent unauthorized communications. IDS/IPS capabilities detect anomalies in network flows and flag unusual traffic originating from processes, helping security teams quickly identify compromised hosts. Endpoint anti-malware integrates into the SASE control plane to quarantine payloads, block PowerShell AMSI bypass attempts, and prevent the execution of hidden or excluded files. User posture checks enforce Zero Trust access, ensuring that only healthy and compliant devices can connect to sensitive resources. Together, these defenses create a coordinated, always-on barrier that intercepts Vidar at delivery, disrupts its command-and-control, and blocks data exfiltration—without relying solely on endpoint detection. Proofpoint has also contributed signatures addressing this threat, strengthening protection against Vidar. 2064008 - ET MALWARE Observed DNS Query to Vidar Stealer Domain 2064009 - ET MALWARE Observed Vidar Stealer Domain 2064010 - ET MALWARE Vidar Stealer User-Agent Observed How Unified SASE as a Service Helps Disrupt Vidar Infostealer https://community.emergingthreats.net/t/ruleset-update-summary-2025-08-14-v10993/2978 Vidar Infostealer in Action: From API Hooking to Covert Data Exfiltration - Report 16 Appendices Appendix A: Indicators of Compromise Appendix B: Mapping MITRE ATT&CK® Matrix 2e125cbd809e8460adb65185a45b526f65172a8536e5bb4e42fddea29e9ceeed 5b77a0a4c8433f33f01c00a21f0a6f12d232c913b73e4070eb2f77e034a4a488 https://t.me/dz25gz https://steamcommunity.com/profiles/76561199880530249 tl.dr.softlinko.com vidar Binary tmpE55F.tmp Telegram Channel Steam profile C&C Server Malicious PowerShell script Tactic Technique Technique Name Initial Access Initial Access Execution Persistence Defense Evasion Defense Evasion Credential Access Discovery Collection Exfiltration Command and Control Command and Control T1566.001 T1189 T1059.001 T1547.001 T1027 T1218 T1555.003 T1082 T1056 T1041 T1573.001 T1071.001 Spear phishing Attachment Drive-by Compromise Command and Scripting Interpreter: PowerShell Registry Run Keys / Startup Folder Obfuscated Files or Information Signed Binary Proxy Execution (e.g., msbuild.exe) Credentials from Web Browsers System Information Discovery Input Capture Exfiltration Over C2 Channel Encrypted Channel Application Layer Protocol: Web Protocols Sha256 Description 63cd5cc0fc20c1d19f7639e4016b77da438dcd4d1b2e94145a496fda70d2ed1c © COPYRIGHT 2015-2025 ARYAKA NETWORKS, INC. ALL RIGHTS RESERVED. LEARN MORE | info@aryaka.com | +1.888.692.7925 About Aryaka Networks Aryaka is the leader in delivering Unified SASE as a Service, a fully integrated solution combining networking, security, and observability. Built for the demands of Generative AI as well as today’s multi-cloud hybrid world, Aryaka enables enterprises to transform their secure networking to deliver uncompromised performance, agility, simplicity, and security. Aryaka’s flexible delivery options empower businesses to choose their preferred approach for implementation and management. Hundreds of global enterprises, including several in the Fortune 100, depend on Aryaka for their secure networking solutions. For more on Aryaka, please visit www.aryaka.com Schedule a Free Network Consultation with an Aryaka Expert Experience Aryaka's Unified SASE as a Service See How It Works Live View Interactive Tour www,aryaka.com www,aryaka.com www,aryaka.com https://www.youtube.com/channel/UCCS7qeW2Y_TY2uQLs9yhe9g https://www.linkedin.com/company/aryaka-networks https://www.aryaka.com/book-a-demo/?utm_source=website&utm_medium=report&utm_campaign=vidar+threat+research+report https://www.aryaka.com/take-the-interactive-tour?utm_source=website&utm_medium=report&utm_campaign=vidar+threat+research+report www.aryaka.com/start-now