Vidar v1.5 in Go: same family, new language, heavy sandbox checks

216.73.217.22

Vidar v1.5 in Go: same family, new language, heavy sandbox checks

· Published 18/05/2026 19:03 · Modified 18/05/2026 19:26

Essential information

Published: 18/05/2026 19:03
Modified: 18/05/2026 19:26
Tags: .net 2026-05-18 av kill botnet crypto infostealer sandbox steam telegram vidar win64
Related entities: 4 observables, 1 techniques (mitre), 1 malware

Description

Vidar is a name most infostealer trackers know well -- an Arkei descendant that has been snatching browser credentials and crypto wallets since 2018. It usually ships as a .NET binary or a C++ PE. The v1.5 sample we pulled from Triage on May 13, 2026 is neither. It is a 7 MB Go 1.25.4 native PE with a twelve-category sandbox scoring system, dead-drop C2 via Telegram and Steam profile pages, and enough crypto primitives to make a librarian blush.

External references

https://www.derp.ca/research/vidar-go-sandbox-dead-drop/
https://otx.alienvault.com/pulse/6a0b62751c0e2c5b056102a8