A significantly enhanced version of the Vidar infostealer, now identified as Vidar 2.0, is actively being disseminated through numerous deceptive game cheat repositories hosted on GitHub and via targeted posts on Reddit. This malware masquerades as free cheating software for popular online video games, aiming to trick unsuspecting gamers into downloading a potent tool designed to steal their credentials and personal information.
The threat of malware embedded within gaming software is a persistent issue within the online gaming community. Cybercriminals have long employed tactics such as distributing fake key generators and cracked software to target gamers. This modus operandi has become increasingly sophisticated and widespread, with attackers now systematically targeting nearly every major online game, including titles like Counter-Strike 2, Fortnite, Valorant, and Call of Duty.
Gamers actively seeking free cheat tools are particularly attractive targets for these malicious actors. They often anticipate and disregard security warnings, have less incentive to report infections, and frequently possess valuable digital assets tied to their gaming accounts, making them prime targets for data theft and account compromise.
Vidar 2.0: A Sophisticated Infostealer Filling the Void
Acronis analysts have identified active campaigns distributing Vidar 2.0. The surge in its activity appears to coincide with recent law enforcement actions that led to the takedown of two dominant infostealers, Lummastealer and Rhadamanthys. With these major players removed from the underground market, cybercriminals have sought replacements, and Vidar has effectively filled this demand.
Vidar has been in development for over seven years, originating as a fork of the Arkei stealer in 2018. Its combination of low cost and potent new features has made it a compelling choice for threat actors looking to acquire sensitive user data. The malware is designed to exfiltrate a wide range of information, including browser credentials and cookies, autofill data, Azure tokens, cryptocurrency wallets, FTP and SSH credentials, Discord and Telegram session data, and local files.
The efficiency of Vidar 2.0 is noteworthy; it operates rapidly enough that victims often do not realize their data has been compromised until it appears for sale on underground marketplaces. Compromised gaming accounts are especially lucrative, as in-game items and currency can be resold through grey markets with minimal risk to the attacker, further incentivizing the distribution of this infostealer.
Abuse of Trusted Platforms by Threat Actors
The ongoing campaign highlights the advanced techniques threat actors are employing to leverage trusted platforms for malicious purposes. By hosting landing pages on established platforms like GitHub, attackers lend a veneer of credibility to their operations, making it harder for users to distinguish legitimate content from malicious imposters.
Furthermore, posts within active gaming communities on platforms like Reddit are used to direct users toward these deceptive GitHub repositories. This strategy, which combines the use of well-known platforms with sophisticated social engineering, has created an effective infection pipeline that many users will not immediately recognize as malicious. The visual presentation of these fake repositories often mimics legitimate software development pages, further enhancing their deceptive appeal.
The Infection Chain: How Vidar 2.0 Infiltrates Systems
The infection process begins when a user clicks a link from a Reddit post or visits a fake GitHub page. Upon arrival, they are presented with seemingly legitimate installation instructions. These instructions often mimic standard software setup procedures, guiding victims to disable their antivirus software, extract password-protected archives, and execute files with administrator privileges. Because legitimate cheat software frequently requires deep system access, many users do not find these demands unusual.
The downloaded file is typically a PowerShell script compiled into a .NET binary using PS2EXE. Once launched, the loader component of the malware takes several critical actions. It establishes a Windows Defender exclusion for an attacker-controlled folder, effectively disabling security scanning for any files placed within it. Subsequently, it contacts a hard-coded Pastebin URL to retrieve the address of the next-stage payload, which is hosted on GitHub.
The loader then creates a randomly named, hidden folder within the user’s %AppData% directory and drops the final payload there, naming it “background.exe.” Before executing this file, the loader performs a check of the MZ header to confirm it is a valid Windows executable. To ensure persistence, the malware establishes a scheduled task named “SystemBackgroundUpdate,” configured to run automatically at every user login with elevated privileges, thereby maintaining its presence on the compromised system.
The final payload is a Vidar 2.0 binary, often protected by Themida packing to evade detection. In a significant departure from traditional methods, Vidar 2.0 does not rely on hard-coded command-and-control (C2) addresses. Instead, it communicates with Telegram bots and Steam profiles that act as dead drop resolvers. This tactic effectively hides the real C2 infrastructure behind trusted services, making it considerably more challenging for security teams to track or block the malicious operation.
Users and organizations are advised to implement endpoint protection or EDR tools capable of detecting anomalous process chains, credential access attempts, and data exfiltration activities. Maintaining up-to-date operating systems and applications is crucial for patching known vulnerabilities. Execution policies should be configured to prevent software from running in non-standard locations such as %AppData% or %ProgramData%. Furthermore, users must be consistently reminded to download software solely from official vendor websites or verified repositories to mitigate the risk of infection from deceptive sources like those used by Vidar 2.0.