Vidar Stealer
Vidar Stealer 是什么?
Vidar StealerA long-running C++ Windows info-stealer derived from the older Arkei family, active since 2018 and still distributed in 2024–2025 via cracks, malvertising, and ClickFix lures.
Vidar Stealer is a Windows information stealer first seen in late 2018, originally forked from the older Arkei family by a Russian-speaking actor. It remained one of the steadiest commodity stealers through 2024 despite the rise and fall of competitors. Vidar collects browser-stored credentials, cookies, autofill, and credit-card data from Chromium and Gecko browsers; crypto-wallet keystores and browser-extension data; Discord, Telegram, Steam and FTP sessions; arbitrary files matching operator-defined patterns; screenshots; and host fingerprinting. The C2 infrastructure is notable for hosting configuration on legitimate platforms (Telegram channels, Steam profile descriptions, Mastodon profile bios) so that a quick takedown of one C2 IP does not break the malware — a 'dead-drop resolver' pattern Vidar helped popularize. Distribution vectors include cracked software, fake installers, Google Ads malvertising, ClickFix fake-CAPTCHA pages, and YouTube SEO bait. Forks such as Mars Stealer and Aurora Stealer share much of Vidar's codebase.
● 示例
- 01
A Vidar sample fetches its current C2 IP by parsing a Steam profile description, then exfiltrates browser logs to that endpoint over plain HTTP.
- 02
A YouTube tutorial linking to a 'crack' installer drops Vidar via a SmartLoader stage, which in turn loads Lumma as a follow-on payload.
● 常见问题
Vidar Stealer 是什么?
A long-running C++ Windows info-stealer derived from the older Arkei family, active since 2018 and still distributed in 2024–2025 via cracks, malvertising, and ClickFix lures. 它属于网络安全的 恶意软件 分类。
Vidar Stealer 是什么意思?
A long-running C++ Windows info-stealer derived from the older Arkei family, active since 2018 and still distributed in 2024–2025 via cracks, malvertising, and ClickFix lures.
Vidar Stealer 是如何工作的?
Vidar Stealer is a Windows information stealer first seen in late 2018, originally forked from the older Arkei family by a Russian-speaking actor. It remained one of the steadiest commodity stealers through 2024 despite the rise and fall of competitors. Vidar collects browser-stored credentials, cookies, autofill, and credit-card data from Chromium and Gecko browsers; crypto-wallet keystores and browser-extension data; Discord, Telegram, Steam and FTP sessions; arbitrary files matching operator-defined patterns; screenshots; and host fingerprinting. The C2 infrastructure is notable for hosting configuration on legitimate platforms (Telegram channels, Steam profile descriptions, Mastodon profile bios) so that a quick takedown of one C2 IP does not break the malware — a 'dead-drop resolver' pattern Vidar helped popularize. Distribution vectors include cracked software, fake installers, Google Ads malvertising, ClickFix fake-CAPTCHA pages, and YouTube SEO bait. Forks such as Mars Stealer and Aurora Stealer share much of Vidar's codebase.
如何防御 Vidar Stealer?
针对 Vidar Stealer 的防御通常结合技术控制与运营实践,详见上方完整定义。
Vidar Stealer 还有哪些其他名称?
常见的别称包括: Vidar。
● 相关术语
- malware№ 591
信息窃取木马
一种从受感染设备中收集凭据、Cookie、令牌、加密钱包等敏感数据并外传给攻击者的恶意软件。
- malware№ 254
凭据窃取程序
专门用于从受感染系统或其内存中提取密码、哈希和认证令牌的恶意软件。
- malware№ 708
Lumma Stealer
A subscription-priced Russian-speaking malware-as-a-service info-stealer that emerged in 2022 and became one of the top-three stealers worldwide by 2024, distributed primarily via ClickFix lures and crack sites.
- malware№ 1014
RedLine Stealer
A subscription Windows info-stealer that dominated 2020–2023 cybercrime markets, harvesting browser secrets, crypto wallets, and FTP/VPN credentials; its infrastructure was disrupted by Operation Magnus in October 2024.
- malware№ 998
Raccoon Stealer
A long-running malware-as-a-service info-stealer first seen in 2019; its operator was arrested in 2022 and the project was restarted as Raccoon v2, then progressively eclipsed by Lumma and RedLine.
- attacks№ 720
恶意广告
利用在线广告网络,通过看似正规的广告在可信网站上分发恶意软件、漏洞利用或诈骗内容。