Vidar Stealer
What is Vidar Stealer?
Vidar StealerA long-running C++ Windows info-stealer derived from the older Arkei family, active since 2018 and still distributed in 2024–2025 via cracks, malvertising, and ClickFix lures.
Vidar Stealer is a Windows information stealer first seen in late 2018, originally forked from the older Arkei family by a Russian-speaking actor. It remained one of the steadiest commodity stealers through 2024 despite the rise and fall of competitors. Vidar collects browser-stored credentials, cookies, autofill, and credit-card data from Chromium and Gecko browsers; crypto-wallet keystores and browser-extension data; Discord, Telegram, Steam and FTP sessions; arbitrary files matching operator-defined patterns; screenshots; and host fingerprinting. The C2 infrastructure is notable for hosting configuration on legitimate platforms (Telegram channels, Steam profile descriptions, Mastodon profile bios) so that a quick takedown of one C2 IP does not break the malware — a 'dead-drop resolver' pattern Vidar helped popularize. Distribution vectors include cracked software, fake installers, Google Ads malvertising, ClickFix fake-CAPTCHA pages, and YouTube SEO bait. Forks such as Mars Stealer and Aurora Stealer share much of Vidar's codebase.
● Examples
- 01
A Vidar sample fetches its current C2 IP by parsing a Steam profile description, then exfiltrates browser logs to that endpoint over plain HTTP.
- 02
A YouTube tutorial linking to a 'crack' installer drops Vidar via a SmartLoader stage, which in turn loads Lumma as a follow-on payload.
● Frequently asked questions
What is Vidar Stealer?
A long-running C++ Windows info-stealer derived from the older Arkei family, active since 2018 and still distributed in 2024–2025 via cracks, malvertising, and ClickFix lures. It belongs to the Malware category of cybersecurity.
What does Vidar Stealer mean?
A long-running C++ Windows info-stealer derived from the older Arkei family, active since 2018 and still distributed in 2024–2025 via cracks, malvertising, and ClickFix lures.
How does Vidar Stealer work?
Vidar Stealer is a Windows information stealer first seen in late 2018, originally forked from the older Arkei family by a Russian-speaking actor. It remained one of the steadiest commodity stealers through 2024 despite the rise and fall of competitors. Vidar collects browser-stored credentials, cookies, autofill, and credit-card data from Chromium and Gecko browsers; crypto-wallet keystores and browser-extension data; Discord, Telegram, Steam and FTP sessions; arbitrary files matching operator-defined patterns; screenshots; and host fingerprinting. The C2 infrastructure is notable for hosting configuration on legitimate platforms (Telegram channels, Steam profile descriptions, Mastodon profile bios) so that a quick takedown of one C2 IP does not break the malware — a 'dead-drop resolver' pattern Vidar helped popularize. Distribution vectors include cracked software, fake installers, Google Ads malvertising, ClickFix fake-CAPTCHA pages, and YouTube SEO bait. Forks such as Mars Stealer and Aurora Stealer share much of Vidar's codebase.
How do you defend against Vidar Stealer?
Defences for Vidar Stealer typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Vidar Stealer?
Common alternative names include: Vidar.
● Related terms
- malware№ 591
Info Stealer
Malware that harvests credentials, cookies, tokens, crypto wallets, and other sensitive data from an infected device and exfiltrates it to the attacker.
- malware№ 254
Credential Stealer
Malware focused specifically on extracting passwords, hashes, and authentication tokens from an infected system or its memory.
- malware№ 708
Lumma Stealer
A subscription-priced Russian-speaking malware-as-a-service info-stealer that emerged in 2022 and became one of the top-three stealers worldwide by 2024, distributed primarily via ClickFix lures and crack sites.
- malware№ 1014
RedLine Stealer
A subscription Windows info-stealer that dominated 2020–2023 cybercrime markets, harvesting browser secrets, crypto wallets, and FTP/VPN credentials; its infrastructure was disrupted by Operation Magnus in October 2024.
- malware№ 998
Raccoon Stealer
A long-running malware-as-a-service info-stealer first seen in 2019; its operator was arrested in 2022 and the project was restarted as Raccoon v2, then progressively eclipsed by Lumma and RedLine.
- attacks№ 720
Malvertising
The use of online advertising networks to distribute malware, exploits, or scams via legitimate-looking ads served on trusted websites.