Vidar Infostealer Being Spread through Phishing Emails
Essential information
- Published
- 09/07/2026 13:27
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- browser credential theft cryptocurrency theft dead drop resolver discord infostealer phishing steam telegram vidar
- Related entities
- 8 indicators, 5 observables, 20 techniques (mitre), 1 malware
Description
Vidar, a Malware-as-a-Service infostealer first identified in 2018, continues to be distributed through phishing campaigns targeting Korea in the first half of 2026. The threat actor uses phishing emails disguised as job applications and copyright infringement notices, with attachments appearing as Word documents but actually being executables. Vidar employs a Go-based packer, uses Dead Drop Resolver technique via Telegram and Steam profiles to obtain C&C addresses, and implements anti-debugging and anti-VM techniques. The infostealer exfiltrates sensitive information including browser credentials, cookies, browsing history, cryptocurrency wallet data, Discord tokens, Telegram information, Steam data, Azure credentials, and screenshots. Configuration information is downloaded in JSON format, and data collection is performed based on received flags and additional downloaded conditions.