New version of Vidar infostealer spreads via fake CAPTCHAs, hides in JPEG and TXT files, uses fileless attacks and steals browser, crypto wallet data.

Point Wild has uncovered a sophisticated evolution of the Vidar infostealer, revealing that hackers are now embedding malicious code within seemingly harmless files such as JPEG images and text documents. The latest findings from the company’s Lat61 Threat Intelligence Team highlight how Vidar has transformed from a basic credential-stealing malware into a highly adaptable, multi-stage attack framework designed to evade traditional detection methods.

This new campaign underscores a growing shift toward social engineering tactics rather than exploiting technical vulnerabilities. Cybercriminals are increasingly targeting user behavior, using deceptive methods to trick individuals into initiating infections themselves. A notable example includes the misuse of the recent Claude Code source leak, where attackers create fake repositories on GitHub and present malicious downloads as free or modified versions of legitimate tools.

In addition to developer-focused attacks, threat actors are distributing malware through platforms like Reddit and Discord by offering fake video game cheats. Another tactic involves compromised WordPress websites displaying fraudulent CAPTCHA verification prompts, commonly referred to as ClickFix pages. These prompts instruct users to execute commands under the guise of verifying human activity, but instead trigger a multi-stage infection chain.

Once initiated, the attack progresses through a series of scripts, including VBScript and PowerShell, ultimately deploying a Go-based loader. This layered approach allows attackers to gradually establish control while maintaining a low profile within the system.

A key innovation in this latest Vidar variant is its use of steganography to conceal malicious payloads within standard image and text files. Files such as “160066.jpg” and various TXT documents are downloaded from attacker-controlled infrastructure and appear legitimate at first glance. However, they contain embedded Base64-encoded data that is later extracted and reconstructed into the final malware payload.

The malware also leverages Living-off-the-Land (LotL) techniques, abusing trusted Windows utilities like WScript, PowerShell, and RegAsm.exe to execute malicious operations. By blending into normal system processes, Vidar significantly reduces the likelihood of detection by conventional security tools.

Further enhancing its stealth, the malware employs .NET reflective loading to execute code directly in memory. This fileless execution method ensures that no malicious files are written to the disk, making forensic analysis and detection far more difficult for security teams.

Once active, Vidar focuses on large-scale data exfiltration. The malware is capable of stealing sensitive information from over 200 browser extensions across platforms like Google Chrome and Microsoft Edge. Its primary targets include cryptocurrency wallets, login credentials, and active session data, enabling attackers to gain unauthorized access to personal and financial accounts.

The stolen data is transmitted back to attacker-controlled servers using Telegram channels and Cloudflare-fronted domains, techniques that help obscure the attackers’ infrastructure and avoid detection.

Dr. Zulfikar Ramzan, head of the Lat61 Threat Intelligence Team at Point Wild, emphasized that the use of image files as covert carriers represents a significant advancement in malware delivery. He noted that threat actors are increasingly combining social engineering with advanced obfuscation techniques, including steganography and in-memory execution, to bypass traditional defenses.

The findings highlight the importance of user awareness in today’s threat landscape. Developers and general users alike are advised to avoid downloading tools from unverified sources, refrain from executing unfamiliar commands, and remain cautious of suspicious prompts or repositories that appear too good to be true.

As malware like Vidar continues to evolve, blending deception with advanced technical methods, organizations and individuals must adopt a more proactive approach to cybersecurity – one that prioritizes both behavioral awareness and advanced threat detection capabilities.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading