Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data

HomeCyber Security News Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data By Tushar Subhra Dutta May 11, 2026 A long-active information stealer is making headlines again, and this time it is targeting more than just passwords. Vidar malware, a credential-harvesting tool in circulation since late 2018, has been observed running through a sophisticated multi-stage attack chain designed to slip past modern security defenses with ease. The threat is active and capable of walking away with browser data, session cookies, cryptocurrency wallet files, and sensitive system information. Vidar was not built from scratch. It was developed using the source code of an older stealer called Arkei and has grown into one of the more resilient commodity malware families tracked today. What makes recent activity particularly alarming is not just what Vidar steals, but how carefully attackers prepare before deploying it. Each step in the infection chain is designed to avoid detection before the actual payload runs. Vidar infection chain (Source – LevelBlue) Researchers at LevelBlue, through proactive threat hunting in a client environment, uncovered this multi-stage loader campaign. Their endpoint telemetry and dynamic analysis revealed a chain of processes showing script masquerading, staged payload extraction, and command-and-control communication. Attack tree observed in LevelBlue’s EDR (Source – LevelBlue) The discovery highlights how well-known malware families are being wrapped in increasingly clever delivery mechanisms to extend their reach. The attack begins with what looks, to an unsuspecting user, like a legitimate software activation tool. How Vidar Steals Sensitive Data A commonly abused hack tool called MicrosoftToolkit.exe serves as the entry point, tricking users into running it under the belief they are activating real software. This user-driven approach reduces the need for phishing emails or software exploits, making the initial entry harder for traditional security filters to catch. Once the tool runs, a disguised file named Swingers.dot gets renamed as a batch script and executed, kicking off a chain of commands. The system checks for active security processes, extracts additional payload components, and eventually runs an AutoIt-compiled loader called Replies.scr. Outbound connections to Vidar-associated infrastructure then confirm the final payload has been deployed and is actively harvesting data. Vidar focuses on pulling information that can be converted into financial gain or used to access other systems. Once the loader completes its work and the payload runs, the malware targets browser-stored credentials, saved session cookies, cryptocurrency wallet files, and general system data. Even a single infected machine can hand attackers a significant amount of usable information. Call to InternetConnectA (Source – LevelBlue) The malware uses public platforms like Steam and Telegram as part of its command-and-control setup, disguising its traffic as ordinary web activity. It constructs HTTP GET requests to pull configuration data from these platforms before moving forward with exfiltration. Calls HttpOpenRequestA to construct an HTTP request (Source – LevelBlue) DNS lookups were also observed pointing to gz.technicalprorj.xyz, resolved through a public DNS server, suggesting the attackers rely on dynamic infrastructure to stay ahead of blocklists. Defense Evasion and Post-Attack Cleanup One of the most notable features of this campaign is how thoroughly the malware covers its tracks after running. Once payload extraction is complete and data has been sent, MicrosoftToolkit.exe deletes every file it dropped during execution, resets file attributes, frees associated memory, and terminates its own process. This leaves very little behind for investigators, making traditional incident response far more difficult. Deletion routine for the files written on disk (Source – LevelBlue) The malware also checks for debuggers and security monitoring tools before proceeding, using low-level Windows functions to detect analysis environments. If it senses observation, it can alter its behavior accordingly. This anti-analysis capability, combined with the cleanup routine and use of legitimate Windows tools throughout the chain, gives this campaign a moderate-to-high level of sophistication despite relying on a commodity stealer at its core. Termination of the current process (Source – LevelBlue) LevelBlue recommends that any affected systems be isolated immediately from the network to stop further data loss. Full system reimaging is strongly advised given the malware’s ability to download additional payloads. All exposed credentials, including browser passwords, email accounts, VPN logins, and admin accounts, should be reset and active sessions closed. Enforcing multi-factor authentication across critical services is equally important. Organizations should also monitor outbound traffic and DNS queries for unusual connections, and restrict execution of unauthorized tools to prevent similar intrusions. Indicators of Compromise (IoCs):- Type Indicator Description SHA256 fc27479ff929d846e7c5c5d147479c81e483a2ec911bd1501a53aa646a29620d MicrosoftToolkit.exe SHA256 d4fe9f48178cdf375a3be30d17f1dc016b5861dff8683f0bb35a0ba8d44f892f swingers.dot.bat SHA256 978ad86c90d85b74947bb627ec24f8bcd26812b500e82f5af202160506ac29c6 Beds.dot SHA256 881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb replies.scr SHA256 968ecf51c442ec0ff91f91689ac524e7e8e9eab0c1a2a65cf13e54cf95194efe D (payload file) IP Address 149.154.167.99 Vidar-associated C2 IP Domain telegram[.]me C2 domain Domain gz[.]technicalprorj[.]xyz Vidar-associated C2 domain Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data Access Instagram’s to End Encrypted Chats for Direct Messages New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft New Fanwei E-cology10 Server Vulnerability Could Let Attackers Hijack Sessions and Steal Credentials JDownloader Downloader Hacked to Infect Users With New Python RAT Latest News Cyber Security News JDownloader Downloader Hacked to Infect Users With New Python RAT Cyber Security 10 Best Full Disk Encryption Tools in 2026 Cyber Security News Top 10 Best Interactive Malware Analysis Tools in 2026 Cyber Security ODINI Malware Uses CPU Magnetic Emissions to Breach Faraday-Shielded Air-Gapped Computers Cyber Security News New cPanel and WHM Flaws Enable Code Execution, DoS Attacks