Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Vidar Infostealer Being Spread through Phishing Emails

0
Medium
Published: 07/09/2026 (07/09/2026, 11:27:51 UTC)
Source: AlienVault OTX General

Description

Vidar is a Malware-as-a-Service infostealer active since 2018, currently distributed via phishing emails targeting Korea in early 2026. The phishing emails impersonate job applications and copyright infringement notices, delivering executables disguised as Word documents. Vidar uses advanced techniques such as a Go-based packer, Dead Drop Resolver via Telegram and Steam profiles for command and control, and anti-debugging and anti-VM measures. It steals a wide range of sensitive data including browser credentials, cookies, cryptocurrency wallets, Discord and Telegram tokens, Steam data, Azure credentials, and screenshots. Configuration is dynamically downloaded in JSON format, guiding data collection based on flags and conditions.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 13:17:32 UTC

Technical Analysis

Vidar infostealer campaigns in the first half of 2026 continue targeting Korean users through phishing emails with malicious attachments masquerading as Word documents. The malware employs a Go-based packer and uses Dead Drop Resolver techniques leveraging Telegram and Steam profiles to retrieve command and control addresses. It incorporates anti-debugging and anti-VM techniques to evade analysis. Vidar exfiltrates extensive sensitive information such as browser credentials, cookies, browsing history, cryptocurrency wallet data, Discord and Telegram tokens, Steam data, Azure credentials, and screenshots. The malware downloads configuration data in JSON format to control its data collection activities based on received flags and additional conditions. No CVE or patch information is available, and no known exploits in the wild are reported.

Potential Impact

Successful infection results in theft of a broad spectrum of sensitive user data including authentication credentials for browsers, cryptocurrency wallets, communication platforms (Discord, Telegram), gaming accounts (Steam), cloud services (Azure), and screenshots. This data theft can lead to account compromise, financial loss, privacy violations, and further targeted attacks. The malware’s use of anti-analysis techniques complicates detection and mitigation efforts.

Mitigation Recommendations

No official patch or fix is available for this malware as it is distributed via phishing campaigns rather than exploiting software vulnerabilities. Mitigation should focus on user awareness to avoid opening suspicious email attachments, especially those disguised as Word documents but are executables. Employ email filtering and endpoint protection solutions capable of detecting and blocking Vidar-related indicators such as known malicious domains and file hashes. Monitor for indicators of compromise provided by threat intelligence sources. Since this is not a software vulnerability, patching is not applicable.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://asec.ahnlab.com/en/94363/"]
Adversary
null
Pulse Id
6a4f85b7629d0335b2a22436
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainlat.sodstreams.com
domaingor.emiraride.com
domainctl.it-bd.com
domaingre.syslicense.net
domainfrr.ambil-disini.web.id

Hash

ValueDescriptionCopy
hash0b8af4afd26175ba818c0fdb4622bf14
hash1bbf1e83eea55e70d59f0d633789011e
hash2fba9ec34fdf4b1584dd9c69b9ec9393
hash4e885b1a0c1d0636e940b4af20fdc8db
hash536dd0b0f6dff75dc01869df9809df61
hash7dd16d1018865e5e817c418f87e6be00
hash6eaf8f8cfc9161c6a287d0a1ce8ab436d14cfcad
hash87cb13512daff0f4e1783a59af449336b6e010e4
hashbea391c7ef1665bc33712deee1109812fc606cc6
hash340820f7f4c97e3a2477bc99acf746e13b2c92719ebf5c9947a62eef7ec0dddb
hashcff8b04f2c8ed63d37fd393ad23652a8b818e80b03851d7c1bd5842963a03348
hashe8e7faa5e76dc773ffb1a7a6be36a47cc84e3ed45b928859b570332757cdb6cb

Threat ID: 6a4f9c6568715ace4365dd02

Added to database: 07/09/2026, 13:04:37 UTC

Last enriched: 07/09/2026, 13:17:32 UTC

Last updated: 07/09/2026, 20:14:17 UTC

Views: 70

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses