Major Threat: Vidar Stealer v2.0 Bypasses Chrome AppBound Encryption with Multithreaded Memory Injection

Researchers at Trend Micro have released an in-depth analysis of Vidar Stealer v2.0, a major overhaul of the well-known Vidar information-stealing malware that has resurfaced with powerful new capabilities.

Rewritten entirely in C language, the new version introduces multithreaded data theft, anti-analysis features, and a memory injection technique that bypasses Google Chrome’s AppBound encryption—making it one of the most technically sophisticated infostealers seen in 2025.

“Vidar 2.0’s release coincides with a decline in Lumma Stealer activity, resulting in a spike in threat actor adoption and heightened campaign activity,” Trend Micro stated in its report.

On October 6, 2025, the malware’s developer, known as “Loadbaks”, announced the release of Vidar Stealer v2.0 on underground forums. The update marks a full migration from C++ to C, a decision allegedly made to improve performance and stability.

Trend Micro’s analysis confirmed that this rewrite significantly improves the malware’s efficiency, resilience, and detection evasion, allowing it to run on more systems without crashing or drawing attention.

Vidar 2.0 introduces a multithreading system that scales its operations dynamically based on the victim’s hardware. Instead of collecting credentials and files sequentially, the malware now uses parallel threads to simultaneously harvest data from browsers, crypto wallets, and cloud directories.

“The unique multithreading system allows extremely efficient use of multi-core processors. It performs data-collection tasks in parallel threads, greatly speeding up the process,” the developer claimed.

Trend Micro found that the malware intelligently adjusts its thread count according to CPU cores and available memory, ensuring it remains stealthy while maximizing data theft speed. This approach reduces the time Vidar remains active on infected systems—lowering its detection probability by endpoint security tools.

One of Vidar 2.0’s most alarming upgrades lies in its browser credential theft techniques. Trend Micro reports that the malware can bypass Chrome’s AppBound encryption, a defense designed to prevent unauthorized decryption of credentials by binding encryption keys to specific applications.

“Vidar 2.0 has implemented unique AppBound methods that aren’t found in the public domain,” the report states.

To achieve this, Vidar 2.0 launches Chrome and other browsers in debugging mode and injects malicious code directly into running processes.

The injected payload extracts encryption keys from browser memory rather than disk storage, then transmits them via named pipes back to the malware’s core process.

This technique completely sidesteps Chrome’s encryption layer—enabling the theft of login data, autofill details, and cookies even from secured sessions.

Another notable addition is the automatic polymorphic builder, a self-morphing engine that ensures every Vidar build is binary-unique. Each new sample features distinct signatures and obfuscated code, complicating static analysis by antivirus tools.

“An automatic morpher makes every build unique,” the author boasted, while Trend Micro confirmed that Vidar 2.0 now uses control flow flattening and numeric state machines to obscure its logic.

The malware also performs debugger detection, timing checks, and hardware profiling during execution, terminating immediately if signs of a sandbox or analysis environment are detected. This layered evasion strategy demonstrates Vidar’s evolution into a professionally maintained malware platform, rivaling commercial-grade spyware in stealth.

Trend Micro’s telemetry shows that Vidar 2.0 systematically targets a vast array of credentials and data sources, including:

• Browser credentials: Chrome, Edge, Firefox, Opera, Vivaldi, and Waterfox
• Cryptocurrency wallets: Monero, LevelDB-based extensions, and synced browser wallets
• Cloud tokens: AWS, Azure, and Microsoft Identity caches
• FTP/SSH clients: FileZilla, WinSCP
• Gaming and social platforms: Steam, Discord, Telegram

The malware even captures screenshots and scans removable drives for sensitive files such as crypto keys and exported passwords.

“The file grabber component systematically searches for valuable files across user directories and removable drives,” the researchers noted, emphasizing its capacity for comprehensive data harvesting.

Vidar’s data exfiltration process has also been reengineered for flexibility. Trend Micro observed that the malware transmits stolen data using HTTP multipart forms to rotating command-and-control (C&C) servers, which may include Telegram bots and even Steam profiles as proxy channels.

In its final stages, Vidar 2.0 securely packages stolen data, verifies successful transmission to C&C servers, and performs systematic cleanup to remove evidence of its activity.

“Execution concludes with comprehensive data packaging and exfiltration through C&C infrastructure… followed by proper thread pool shutdown and artifact cleanup,” Trend Micro reported.

Related Posts:

• Beware of Fake KMSPico Activators: A Gateway for Vidar Stealer Malware
• Vidar Stealer Hides in Legitimate BGInfo Tool
• AI-Generated Malware: TikTok Videos Push Infostealers with PowerShell Commands
• CVE-2025-31115: XZ Utils Hit Again with High-Severity Multithreaded Decoder Bug
• AI Hype Exploited: Black Hat SEO Campaign Poisons Search Results to Deliver Vidar, Lumma & Legion Stealers