{
	"id": "60db2930-4d3d-4101-aa43-90d4316742c5",
	"created_at": "2026-04-06T00:21:33.584237Z",
	"updated_at": "2026-04-10T03:21:24.657794Z",
	"deleted_at": null,
	"sha1_hash": "fac1cf304672d741a089ae01814f3a603714c486",
	"title": "Vidar Stealer Exploiting Various Platforms - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1416510,
	"plain_text": "Vidar Stealer Exploiting Various Platforms - ASEC\r\nBy ATCP\r\nPublished: 2022-12-12 · Archived: 2026-04-05 19:05:16 UTC\r\nVidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its\r\ncharacteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2.\r\nThe link below is a post about a case where malicious behaviors were performed using Mastodon.\r\nEven afterward, Vidar saw continuous version updates while actively being distributed. In the recent samples in\r\ncirculation, various other platforms such as Steam and TikTok were used aside from Telegram and Mastodon. In\r\nthis blog post, we aim to cover the details of these cases.\r\nWhen a user creates an account on an online platform, a unique account page that can be accessed by anyone is\r\ngenerated. Threat actors write identifying characters and the C2 address in parts of this page.\r\nWhen the malware is executed, it accesses the threat actor’s account page to search for the identifier string and\r\nfind the C2 address. Then, it performs malicious behaviors while communicating with this C2 server.\r\nSuch public platform URLs are difficult to block with security solutions. Even if the threat actor’s C2 server is\r\nblocked, opening a new C2 server and editing the account page will allow all previously distributed malware to\r\ncommunicate with the new C2 server.\r\nThe exploited services share a common trait, which is the fact that it is comparatively easy to create an account on\r\nthese platforms. The following is a page that was recently abused by Vidar.\r\nhttps://asec.ahnlab.com/en/44554/\r\nPage 1 of 7\n\nhttps://asec.ahnlab.com/en/44554/\r\nPage 2 of 7\n\nThe last screenshot is the threat actor’s account on Ultimate Guitar. Multiple samples exploiting this platform have\r\nbeen collected, but unfortunately, we could not secure a screenshot with the actual C2 information. The C2\r\naddress connected during the collection was 116.202.2[.]1/1707.\r\nUpon execution, the strings used in its behaviors are decrypted. While it is in a simple XOR format, there are\r\nmultiple garbage codes that execute string-modifying functions with the dummy text “Lorum ipsum” as the\r\nargument. The strings and functions used differ slightly with each sample. This is deemed to be for the purpose of\r\nimplementing changes to the read-only data area or making it difficult to find the string that identifies the malware\r\non the process memory.\r\nThe computer name and username are checked. If they are found to be “HAL9TH” and “JohnDoe” respectively,\r\nthe malware ceases to function and shuts down immediately. These are the names known to be used by Windows\r\nDefender Emulator, and this code seems to serve the purpose of bypassing this feature.\r\nhttps://asec.ahnlab.com/en/44554/\r\nPage 3 of 7\n\nAfter the above preliminary processes are complete, the malware attempts to connect to the threat actor’s account\r\npage to download the C2 address. Samples that are currently in distribution include two types of platform account\r\naddresses and one actual C2 server URL each. These URLs are hard-coded in the binary and connection attempts\r\nare made in order until the actual C2 address is successfully found.\r\nThe malware searches the account page’s source for the identifier. The string from the character after the identifier\r\nto the character before “|” becomes the C2, and the identifier is different for each sample and is hard-coded like\r\nthe C2 address. The identifier in this sample is “disqo” and the C2 address is 142.132.236.84.\r\nhttps://asec.ahnlab.com/en/44554/\r\nPage 4 of 7\n\nDuring the initial connection to the C2 server, the information (settings) data on malicious behaviors is received,\r\nthen various library files needed for these behaviors are downloaded. In the past, each file was downloaded\r\nseparately, but the recently-distributed samples mostly download these files in a compressed file format before\r\nunpacking them in the memory area and using them.\r\nThe C2 response value includes the activation status of certain features, token values, the target directory, and file\r\nextensions. This shows that no drastic changes have been made to the past versions, so the previous blog post is\r\nsure to provide sufficient information regarding this. The hex value added in the middle of the function settings\r\nflag is a random token value assigned by the C2.\r\nhttps://asec.ahnlab.com/en/17633/\r\nThe behavior changes according to the C2’s settings response, but various information can be targeted for\r\nextortion, including browser data (account, password, history, cookies, etc.), cryptocurrency wallets, document\r\nfiles (file extensions defined by the threat actor), screenshot images, and system information.\r\nAfter information collection is complete, the extorted information is compressed into a ZIP file, encoded in\r\nBase64, and transmitted to the C2 server. There is a slight difference from past versions in the process of sending\r\nthe data to the C2 server.\r\nWhile previous samples sent the compressed file data in plain text, recent samples send these after encoding them\r\nin Base64. Additionally, the HTTP data in transmission became simplified in the recent version. The version\r\ninformation of the malware was also omitted, and the malware’s version can only be identified by checking the\r\ninformation.txt file in the compressed file or by checking the hard-coded value in the binary.\r\nThere is also a newly-added feature, where the malware receives a random token value as a reply during the initial\r\nC2 connection, when the extorted information is sent, it transmits this value as a “token.” This is deemed to be for\r\nverifying the infected PC and the extorted information.\r\nhttps://asec.ahnlab.com/en/44554/\r\nPage 5 of 7\n\nOut of the data stated in the extorted information files, there was also a slight change to the date format and the\r\nmethod of creating the HWID. According to this file, the version of the recently distributed sample is 56.1.\r\nAs Vidar uses famous platforms as the intermediary C2, it has a long lifespan. A threat actor’s account created six\r\nmonths ago is still being maintained and continuously updated. Users must practice caution because Vidar is\r\nactively being distributed under the disguise of software or cracks.\r\nAhnLab’s diagnosis for the malware as follows.\r\nTrojan/Win.Injection.C5318441 (2022.12.01.02)\r\nInfostealer/Win.Vidar.C5317169 (2022.12.13.01)\r\nInfostealer/Win.Vidar.C533928 (2022.11.11.01)\r\nInfostealer/Win.Vidar.C5308808 (2022.11.19.00)\r\nInfostealer/Win.Generic.C5308804 (2022.11.19.00) and more\r\nMD5\r\n0b9a0f37d63b0ed9ab9b662a25357962\r\n256594282554abed80536e48f384d2e8\r\n483ec112df6d0243dbb06a9414b0daf6\r\nhttps://asec.ahnlab.com/en/44554/\r\nPage 6 of 7\n\na46f7096a07285c6c3fdfdf174c8a8b0\r\nce1eb73f52efe56356ee21b9c4c4c6c4\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//mas[.]to/@ofadex\r\nhttp[:]//steamcommunity[.]com/profiles/76561199436777531\r\nhttp[:]//steamcommunity[.]com/profiles/76561199439929669\r\nhttp[:]//steamcommunity[.]com/profiles/76561199441933804\r\nhttp[:]//www[.]tiktok[.]com/@user6068972597711\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/44554/\r\nhttps://asec.ahnlab.com/en/44554/\r\nPage 7 of 7\n\nThe malware to the character searches the account before “|” becomes page’s the C2, source for the and the identifier identifier. The is different string from the for each sample character after and is hard-coded the identifier like\nthe C2 address. The identifier in this sample is “disqo” and the C2 address is 142.132.236.84.\n   Page 4 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/44554/"
	],
	"report_names": [
		"44554"
	],
	"threat_actors": [],
	"ts_created_at": 1775434893,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fac1cf304672d741a089ae01814f3a603714c486.pdf",
		"text": "https://archive.orkl.eu/fac1cf304672d741a089ae01814f3a603714c486.txt",
		"img": "https://archive.orkl.eu/fac1cf304672d741a089ae01814f3a603714c486.jpg"
	}
}