{
  "name": "Vidar v1.5 in Go: same family, new language, heavy sandbox checks",
  "slug": "vidar-v15-in-go-same-family-new-language-heavy-sandbox-checks",
  "description": "Vidar is a name most infostealer trackers know well -- an Arkei descendant that has been snatching browser credentials and crypto wallets since 2018. It usually ships as a .NET binary or a C++ PE. The v1.5 sample we pulled from Triage on May 13, 2026 is neither. It is a 7 MB Go 1.25.4 native PE with a twelve-category sandbox scoring system, dead-drop C2 via Telegram and Steam profile pages, and enough crypto primitives to make a librarian blush.",
  "published": "2026-05-18T17:03:16+00:00",
  "created_at": "2026-05-18T17:03:16+00:00",
  "modified_at": "2026-05-18T17:26:15+00:00",
  "created_at_opencti": "2026-05-18T17:03:16+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    ".net",
    "2026-05-18",
    "av kill",
    "botnet",
    "crypto",
    "infostealer",
    "sandbox",
    "steam",
    "telegram",
    "vidar",
    "win64"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://142.250.151.94:80"
      },
      {
        "id": "",
        "name": "http://135.181.237.59:443"
      },
      {
        "id": "",
        "name": "http://149.154.167.99:443"
      },
      {
        "id": "",
        "name": "2995ffb73342453b258926ec865c724e3567eee1bb8eb35d61796ee0c4f25105"
      }
    ],
    "malware": [
      {
        "id": "2c582ed8-35df-4ef9-917d-994e214aa5f9",
        "name": "Vidar",
        "slug": "vidar"
      }
    ],
    "attack_patterns": [
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      }
    ]
  },
  "external_refs": [
    "https://www.derp.ca/research/vidar-go-sandbox-dead-drop/",
    "https://otx.alienvault.com/pulse/6a0b62751c0e2c5b056102a8"
  ]
}