In the high-stakes game of cybersecurity, “seeing is believing” is a dangerous mantra. On April 24, 2026, the Lat61 Threat Intelligence Team at Point Wild uncovered a startling evolution in one of the world’s most persistent threats: Vidar Malware.
Historically known as a reliable credential stealer, Vidar has mutated into a sophisticated, multi-stage Malware-as-a-Service (MaaS) operation. The latest variant discovered by researchers Kedar Shashikant Pandit and Prathamesh Shingare no longer relies on suspicious executables alone. Instead, it conceals its second-stage payloads inside seemingly harmless JPEG images and TXT documents.
By hiding in plain sight within standard media formats, Vidar is successfully bypassing traditional signature-based EDR (Endpoint Detection and Response) tools, putting thousands of global organizations at risk.
The 2026 Transformation: From Arkei Fork to MaaS Giant
Since its debut in 2018 as a fork of the Arkei malware, Vidar has focused on volume. However, the 2026 landscape has forced a shift toward stealth and persistence.
Key Evolutions in the Latest Variant:
- Memory-Resident Execution: The malware now executes the majority of its infection chain within a system’s RAM, leaving a minimal forensic footprint on the physical disk.
- Dead Drop Resolvers: Vidar leverages social media platforms like Telegram and Discord as command-and-control (C2) hubs, making its traffic blend in with legitimate encrypted communications.
- Staged Obfuscation: By using a Go-compiled dropper, the initial entry point avoids common heuristics that flag C++ or .NET-based threats.
Infection Vector: How Vidar Targets the Modern User
Vidar’s distribution strategy is highly diverse, targeting users where they are most likely to lower their guard.
1. Fake GitHub & “Claude Code” Lures
A recent wave of attacks exploited the high demand for AI tools. Attackers created fraudulent GitHub repositories claiming to offer “Enterprise Unlocked” versions of Claude Code or GitHub Copilot. These repositories actually bundle the Vidar dropper.+1
2. ClickFix and Fake CAPTCHAs
Compromised WordPress sites now display “Verifying you are human” pages. These ClickFix pages trick users into copying and pasting a malicious command into their terminal to “fix” a browser error, effectively manually starting the Vidar infection.
3. The Gaming Community
Gaming “cheats” and “cracks” shared on Reddit and Discord remain a primary vector. Users seeking in-game advantages often intentionally disable their antivirus software, providing Vidar with an open door.
Technical Analysis: The JPEG Payload Mechanism
The most innovative part of the 2026 Vidar variant is its use of steganography-lite to deliver the second-stage payload.
The Execution Chain:
- Initial Dropper: A Go-compiled binary executes and drops a VBScript file named
ewccbqtllunx.vbsinto the\Tempfolder. - Anti-Sandbox Check: The script performs a check for virtual machine environments. If it detects a sandbox, it self-terminates to prevent analysis.
- The JPEG Download: An obfuscated PowerShell command connects to a remote IP (e.g.,
62.60.226.200) and downloads a file named160066.jpg. - Payload Extraction: While the file looks like a standard image to the OS, the PowerShell script scans the file for custom markers:
BASE64_STARTandBASE64_END. It extracts the Base64-encoded malware between these markers and executes it directly in memory.
Impact: What is Vidar Stealing?
Vidar is designed for maximum financial gain. It targets over 200 browser extensions and a wide array of desktop applications.
| Category | Primary Targets |
|---|---|
| Crypto Wallets | MetaMask, Phantom, Coinbase Wallet, Binance. |
| Password Managers | Bitwarden, LastPass, KeePass, 1Password. |
| Browsers | All Chromium-based browsers (Chrome, Edge, Brave), Firefox. |
| Gaming/Social | Discord tokens, Steam credentials, Telegram session data. |
Export to Sheets
Indicators of Compromise (IoCs)
Security teams should monitor for the following network and file-based signatures:
- VBScript File:
ewccbqtllunx.vbs(typically found in%TEMP%) - Known C2 IP:
62.60.226.200 - Suspicious Payload URLs: URLs ending in
.jpgor.txtthat are requested bypowershell.exeormshta.exe. - Common Dropper Name:
challengecf.exe
Best Practices: Defending Against Steganographic Malware
To counter Vidar’s stealth tactics, organizations must move beyond simple file-scanning.
- Behavioral Monitoring: Configure EDR tools to flag when
powershell.exeorwscript.exemakes external network connections to download non-executable files (like JPEGs). - PowerShell Constrained Language Mode: Implement Constrained Language Mode to limit the ability of scripts to perform the Base64 decoding and memory injection required for Vidar’s second stage.
- Disable “Paste-and-Run” Tactics: Educate users on the dangers of “ClickFix” lures. No legitimate service will ever ask a user to paste a command into a PowerShell window to solve a browser error.
- Network Segmentation: Use a Zero Trust architecture to prevent a compromised developer machine from reaching internal cloud secret managers or production databases.
FAQs
1. Can my antivirus see the malware inside the JPEG?
Most standard antivirus tools will see 160066.jpg as a valid image file. Unless the tool is specifically looking for the BASE64_START markers inside the image’s metadata or binary data, it will likely be ignored.
2. Is Vidar a “fileless” threat?
While the initial dropper is a file, the critical second-stage payloads and the actual data theft often occur in the system memory (RAM). This makes Vidar a “semi-fileless” or “memory-resident” threat.
3. Why are gaming cheats such a common vector?
Attackers know that gamers are highly motivated to find “hacks” and are conditioned to ignore security warnings or “False Positives” to get the software to work. This makes them the perfect demographic for social engineering.
4. How does Vidar use Telegram?
Vidar uses Telegram’s API to receive configuration files and “dead drop” instructions. This allows the malware to change its C2 server addresses without needing to update the malware itself.
Conclusion: Adapting to the Stealth Era
The 2026 Vidar campaign is a stark reminder that cybercriminals are masters of adaptation. By leveraging JPEGs as delivery vehicles and using trusted Windows tools like PowerShell to assemble the attack, Vidar has significantly raised the bar for detection.
Action Item: Review your EDR logs for suspicious PowerShell activity today. In the age of Vidar, the most dangerous thing on your network might just look like a vacation photo.
