Do Son 
A massive malware distribution campaign has been uncovered targeting the global gaming community under the guise of free game enhancements. Analysts at Acronis TRU have identified hundreds—and potentially thousands—of malicious GitHub repositories masquerading as “free game cheats” for virtually every major online title.
This surge in activity marks the official “in-the-wild” debut of Vidar Stealer 2.0, a sophisticated evolution of one of the most persistent infostealer families in the threat landscape.
The campaign targets gamers across platforms like GitHub and Reddit, hiding malicious links behind attractive images and routing victims through a series of intermediate third-party sites to evade systematic identification.
Gamers are considered “ideal targets” by threat actors because they frequently download software from unofficial sources and are conditioned to ignore security warnings that game cheats often trigger. Furthermore, compromised gaming accounts often carry significant monetary value due to digital assets, skins, and linked payment methods.
The emergence of Vidar 2.0 is a direct response to recent law enforcement crackdowns on other dominant stealers like Lumma and Rhadamanthys. As those groups faced disruption, Vidar stepped in to fill the vacuum with a complete architectural rewrite.
“With a full rewrite, better performance, and new ways to steal browser data, Vidar 2.0 is more stable, faster and harder to detect than before”.
The new version utilizes multithreading for more efficient data collection and polymorphic builds to ensure that every unique sample looks different to signature-based antivirus software. Its data-harvesting capabilities are extensive, targeting:
- Browser Data: Credentials, cookies, and autofill information.
- Digital Assets: Cryptocurrency wallets and Azure tokens.
- Communication & Access: Telegram and Discord data, alongside FTP and SSH credentials.
To ensure the malware executes only on genuine victim machines, Vidar 2.0 incorporates clever environment checks. For instance, it uses the GetSystemMetrics function to analyze the “virtual screen” dimensions. If the malware detects coordinates or resolutions typical of a researcher’s sandbox or a virtual machine, it may terminate execution to avoid analysis.
Additionally, the stealer captures a “screenshot.jpg” of the victim’s desktop, providing attackers with a visual snapshot of the compromised environment.
The rapid adoption of Vidar 2.0 demonstrates the “resilience of the infostealer landscape and the continuous demand for stolen credentials”. Even as major players are taken down, the criminal market simply migrates to the next available tool.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
