Vidar Infostealer Campaign Steals Passwords, Cookies, Crypto Wallets, and Device Data

The Vidar infostealer, originally derived from the Arkei source code, has resurfaced with a more sophisticated infection chain that exploits user‑initiated execution of the MicrosoftToolkit.exe utility. By leveraging a widely‑distributed hack‑tool, attackers sidestep vulnerability‑based defenses and instead depend on social engineering to convince victims to run the file. Once launched, the malware quickly transitions to a staging phase, renaming a "swingers.dot" file to a batch script and using native Windows commands such as tasklist.exe and findstr.exe to map the environment and suppress security tools. This approach reflects a broader trend where threat actors weaponize everyday system utilities to remain under the radar.

Technical analysis reveals a heavy reliance on AutoIt, a legitimate Windows automation language, to compile the loader named Replies.scr. The loader reads an encrypted payload from a disguised file, decrypts it in memory, and executes it without ever touching disk, thereby evading many file‑based detection mechanisms. Communication with command‑and‑control servers is cleverly hidden behind HTTP GET requests to Telegram and Steam Community profile URLs, blending malicious traffic with normal web activity. By resolving dynamic domains through public Google DNS and using dead‑drop resolvers, Vidar makes network‑level detection extremely challenging for traditional security appliances.

For defenders, the campaign underscores the need for behavior‑based monitoring and strict application control policies. Endpoint Detection and Response (EDR) solutions must be tuned to flag anomalous use of legitimate binaries like AutoIt and unexpected network connections to consumer platforms that are atypical for corporate workloads. Additionally, organizations should enforce least‑privilege execution policies, educate users about the risks of downloading hack‑tools, and employ sandboxing to analyze suspicious executables before they reach production endpoints. As threat actors continue to blend malicious code with trusted services, a layered security strategy that combines endpoint hardening, network traffic analysis, and user awareness will be essential to mitigate the evolving Vidar threat.