Vidar Infostealer Being Spread through Phishing Emails
Vidar is a Malware-as-a-Service infostealer active since 2018, currently distributed via phishing emails targeting Korea in early 2026. The phishing emails impersonate job applications and copyright infringement notices, delivering executables disguised as Word documents. Vidar uses advanced techniques such as a Go-based packer, Dead Drop Resolver via Telegram and Steam profiles for command and control, and anti-debugging and anti-VM measures. It steals a wide range of sensitive data including browser credentials, cookies, cryptocurrency wallets, Discord and Telegram tokens, Steam data, Azure credentials, and screenshots. Configuration is dynamically downloaded in JSON format, guiding data collection based on flags and conditions.
AI Analysis
Technical Summary
Vidar infostealer campaigns in the first half of 2026 continue targeting Korean users through phishing emails with malicious attachments masquerading as Word documents. The malware employs a Go-based packer and uses Dead Drop Resolver techniques leveraging Telegram and Steam profiles to retrieve command and control addresses. It incorporates anti-debugging and anti-VM techniques to evade analysis. Vidar exfiltrates extensive sensitive information such as browser credentials, cookies, browsing history, cryptocurrency wallet data, Discord and Telegram tokens, Steam data, Azure credentials, and screenshots. The malware downloads configuration data in JSON format to control its data collection activities based on received flags and additional conditions. No CVE or patch information is available, and no known exploits in the wild are reported.
Potential Impact
Successful infection results in theft of a broad spectrum of sensitive user data including authentication credentials for browsers, cryptocurrency wallets, communication platforms (Discord, Telegram), gaming accounts (Steam), cloud services (Azure), and screenshots. This data theft can lead to account compromise, financial loss, privacy violations, and further targeted attacks. The malware’s use of anti-analysis techniques complicates detection and mitigation efforts.
Mitigation Recommendations
No official patch or fix is available for this malware as it is distributed via phishing campaigns rather than exploiting software vulnerabilities. Mitigation should focus on user awareness to avoid opening suspicious email attachments, especially those disguised as Word documents but are executables. Employ email filtering and endpoint protection solutions capable of detecting and blocking Vidar-related indicators such as known malicious domains and file hashes. Monitor for indicators of compromise provided by threat intelligence sources. Since this is not a software vulnerability, patching is not applicable.
Indicators of Compromise
- domain: lat.sodstreams.com
- domain: gor.emiraride.com
- domain: ctl.it-bd.com
- domain: gre.syslicense.net
- domain: frr.ambil-disini.web.id
- hash: 0b8af4afd26175ba818c0fdb4622bf14
- hash: 1bbf1e83eea55e70d59f0d633789011e
- hash: 2fba9ec34fdf4b1584dd9c69b9ec9393
- hash: 4e885b1a0c1d0636e940b4af20fdc8db
- hash: 536dd0b0f6dff75dc01869df9809df61
- hash: 7dd16d1018865e5e817c418f87e6be00
- hash: 6eaf8f8cfc9161c6a287d0a1ce8ab436d14cfcad
- hash: 87cb13512daff0f4e1783a59af449336b6e010e4
- hash: bea391c7ef1665bc33712deee1109812fc606cc6
- hash: 340820f7f4c97e3a2477bc99acf746e13b2c92719ebf5c9947a62eef7ec0dddb
- hash: cff8b04f2c8ed63d37fd393ad23652a8b818e80b03851d7c1bd5842963a03348
- hash: e8e7faa5e76dc773ffb1a7a6be36a47cc84e3ed45b928859b570332757cdb6cb
Vidar Infostealer Being Spread through Phishing Emails
Description
Vidar is a Malware-as-a-Service infostealer active since 2018, currently distributed via phishing emails targeting Korea in early 2026. The phishing emails impersonate job applications and copyright infringement notices, delivering executables disguised as Word documents. Vidar uses advanced techniques such as a Go-based packer, Dead Drop Resolver via Telegram and Steam profiles for command and control, and anti-debugging and anti-VM measures. It steals a wide range of sensitive data including browser credentials, cookies, cryptocurrency wallets, Discord and Telegram tokens, Steam data, Azure credentials, and screenshots. Configuration is dynamically downloaded in JSON format, guiding data collection based on flags and conditions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Vidar infostealer campaigns in the first half of 2026 continue targeting Korean users through phishing emails with malicious attachments masquerading as Word documents. The malware employs a Go-based packer and uses Dead Drop Resolver techniques leveraging Telegram and Steam profiles to retrieve command and control addresses. It incorporates anti-debugging and anti-VM techniques to evade analysis. Vidar exfiltrates extensive sensitive information such as browser credentials, cookies, browsing history, cryptocurrency wallet data, Discord and Telegram tokens, Steam data, Azure credentials, and screenshots. The malware downloads configuration data in JSON format to control its data collection activities based on received flags and additional conditions. No CVE or patch information is available, and no known exploits in the wild are reported.
Potential Impact
Successful infection results in theft of a broad spectrum of sensitive user data including authentication credentials for browsers, cryptocurrency wallets, communication platforms (Discord, Telegram), gaming accounts (Steam), cloud services (Azure), and screenshots. This data theft can lead to account compromise, financial loss, privacy violations, and further targeted attacks. The malware’s use of anti-analysis techniques complicates detection and mitigation efforts.
Mitigation Recommendations
No official patch or fix is available for this malware as it is distributed via phishing campaigns rather than exploiting software vulnerabilities. Mitigation should focus on user awareness to avoid opening suspicious email attachments, especially those disguised as Word documents but are executables. Employ email filtering and endpoint protection solutions capable of detecting and blocking Vidar-related indicators such as known malicious domains and file hashes. Monitor for indicators of compromise provided by threat intelligence sources. Since this is not a software vulnerability, patching is not applicable.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://asec.ahnlab.com/en/94363/"]
- Adversary
- null
- Pulse Id
- 6a4f85b7629d0335b2a22436
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainlat.sodstreams.com | — | |
domaingor.emiraride.com | — | |
domainctl.it-bd.com | — | |
domaingre.syslicense.net | — | |
domainfrr.ambil-disini.web.id | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0b8af4afd26175ba818c0fdb4622bf14 | — | |
hash1bbf1e83eea55e70d59f0d633789011e | — | |
hash2fba9ec34fdf4b1584dd9c69b9ec9393 | — | |
hash4e885b1a0c1d0636e940b4af20fdc8db | — | |
hash536dd0b0f6dff75dc01869df9809df61 | — | |
hash7dd16d1018865e5e817c418f87e6be00 | — | |
hash6eaf8f8cfc9161c6a287d0a1ce8ab436d14cfcad | — | |
hash87cb13512daff0f4e1783a59af449336b6e010e4 | — | |
hashbea391c7ef1665bc33712deee1109812fc606cc6 | — | |
hash340820f7f4c97e3a2477bc99acf746e13b2c92719ebf5c9947a62eef7ec0dddb | — | |
hashcff8b04f2c8ed63d37fd393ad23652a8b818e80b03851d7c1bd5842963a03348 | — | |
hashe8e7faa5e76dc773ffb1a7a6be36a47cc84e3ed45b928859b570332757cdb6cb | — |
Threat ID: 6a4f9c6568715ace4365dd02
Added to database: 07/09/2026, 13:04:37 UTC
Last enriched: 07/09/2026, 13:17:32 UTC
Last updated: 07/09/2026, 20:14:17 UTC
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.