The latest version of the Vidar infostealer, known as Vidar 2.0, is spreading aggressively through deceptive game cheat repositories on platforms like GitHub and Reddit. This malware masquerades as free cheats for popular online games, enticing gamers to unknowingly download a sophisticated tool designed to steal sensitive information.
Targeting Gamers with Fake Cheats
Malicious software hidden within gaming applications is a tactic that cybercriminals have exploited for years. By presenting fake key generators and cracked tools, attackers have increasingly targeted players of popular games such as Counter-Strike 2 (CS2), Fortnite, Valorant, and Call of Duty. These gamers, eager for free cheat tools, are often unsuspecting targets, likely to ignore security alerts, and possess valuable digital assets linked to their accounts.
Vidar 2.0’s Rise in the Cybercrime Landscape
Acronis analysts have identified active campaigns distributing Vidar 2.0, noting a surge in its use following the law enforcement takedowns of other infostealers like Lummastealer and Rhadamanthys. Vidar, which originated as a fork of the Arkei stealer in 2018, has evolved over seven years, offering cost-effective yet powerful features that appeal to cybercriminals.
Vidar 2.0 is capable of extracting browser credentials, cookies, autofill data, Azure tokens, cryptocurrency wallets, FTP and SSH credentials, and session data from services like Discord and Telegram. Its swift operation often leaves victims unaware until their data surfaces on underground markets, with compromised gaming accounts being particularly attractive due to the resale value of in-game items and currency.
Exploiting Trusted Platforms for Infections
Cybercriminals have advanced in exploiting trusted platforms, using GitHub to host landing pages that lend legitimacy to their operations. Reddit posts within gaming communities further direct users to these fake repositories. This strategic use of well-known platforms combined with targeted social engineering creates a deceptive infection pipeline that many users fail to recognize as harmful.
When users follow links from Reddit or visit fake GitHub pages, they encounter sites with seemingly legitimate installation instructions. These guides often instruct users to disable antivirus protections, extract password-protected archives, and execute files with administrative rights. Such steps are commonly associated with cheat software, making them appear routine to unsuspecting gamers.
How Vidar 2.0 Achieves Persistence
The infection process involves a PowerShell script compiled into a .NET binary, confirmed by Detect It Easy (DIE) analysis. Once executed, the loader creates a Windows Defender exclusion for a specific folder, preventing security scans on its contents. It then retrieves the next-stage payload from GitHub, placing it in a hidden folder within the %AppData% directory as ‘background.exe’.
Persistence is ensured through a scheduled task named ‘SystemBackgroundUpdate’, configured to execute automatically at user login with elevated privileges. The final payload, a Themida-packed Vidar 2.0 binary, utilizes Telegram bots and Steam profiles as dead drop resolvers to conceal its command-and-control infrastructure, complicating detection by security teams.
To combat such threats, users and organizations should employ endpoint protection or EDR tools to detect unusual process chains and data exfiltration activities. Keeping operating systems and applications updated is crucial to addressing known vulnerabilities. Additionally, restricting software execution in non-standard paths and downloading software exclusively from official or verified sources are essential precautions.
For more insights and updates, follow us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for real-time cybersecurity news.
