Vidar v1.5 is a new iteration of the Vidar infostealer malware family, rewritten in Go rather than .NET or C++. This version includes advanced sandbox evasion via a twelve-category scoring system and uses unconventional dead-drop C2 communication through Telegram and Steam profile pages. It continues the family’s focus on stealing browser credentials and cryptocurrency wallets. The malware is a 7 MB native PE compiled with Go 1.25.4 and contains extensive cryptographic primitives. No CVE or vendor patch information is available, and no known active exploitation has been reported. Indicators such as IP addresses, URLs, and file hashes are provided for detection.

Vidar v1.5 can steal sensitive information including browser credentials and cryptocurrency wallets, potentially leading to unauthorized access and financial loss. Its advanced sandbox evasion techniques may reduce the effectiveness of automated malware analysis and detection. The use of dead-drop C2 channels via Telegram and Steam profile pages complicates network detection and attribution. There is no indication of active widespread exploitation or targeted geographic impact at this time.

No official patch or vendor advisory is available for this malware. Mitigation should focus on detection and blocking using the provided indicators of compromise (IOCs), including file hashes and C2 URLs. Security teams should update endpoint detection and response (EDR) tools and network defenses to recognize these indicators. Monitoring for suspicious use of Telegram and Steam profile communications may also help identify infections. Since this is malware, standard malware removal procedures apply once detected. Patch status is not yet confirmed — check vendor advisories for updates.