Do Son 
Attack Flow | Image: Point Wild
Vidar, once a straightforward credential stealer, has officially completed its transformation into a “multi-stage, stealth-driven attack framework”. A recent deep-dive report from Point Wild reveals that Vidar has abandoned traditional exploits in favor of a much more effective weapon: human psychology and the abuse of trusted system components.
Vidar’s success in 2026 stems from its ability to blend into normal system activity. According to Point Wild, the malware now “leverages layered obfuscation, staged payload delivery, and trusted Windows components to achieve stealthy execution and persistence”.
The attack flow typically follows a sophisticated “living-off-the-land” strategy:
- Initial Entry: Often starts with a Go-compiled dropper binary to evade static detection.
- Script Progression: The chain moves through WScript → PowerShell → ConHost → RegAsm, using these trusted binaries to “blend into normal system activity”.
- Disguised Payloads: The malware reconstruction includes retrieving payloads “disguised as a benign image file” (JPEG) or text files (TXT) from direct IP addresses.
Point Wild notes that current campaigns have shifted toward “highly user-driven and social engineering-based execution chains”.
| Infection Vector | Methodology |
| Fake GitHub Repos |
Disguised as legitimate utilities or “Claude Code” leaks to exploit developer trust. |
| Fake CAPTCHAs |
“ClickFix” pages trick users into manually executing malicious commands like |
| Game Cheats |
Primarily targets gaming communities on Discord and Reddit where users are likely to bypass security warnings. |
The report highlights a “fully fileless loader chain” that minimizes the detection surface. One of the most critical phases involves the reflective loading of a .NET assembly, which allows the malware to execute “without touching disk”.
Once active, Vidar’s data theft capabilities are expansive. It specifically targets:
- Crypto Wallets: Scans for Bitcoin, Ethereum, and Dogecoin data, as well as dozens of browser-based wallet extensions like MetaMask and Phantom.
- Password Managers: Extracts data from 1Password, Bitwarden, LastPass, and more.
- Telegram C2: Uses Telegram as a “covert data exfiltration channel,” allowing it to “conceal malicious traffic and avoid reliance on traditional command-and-control infrastructure”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
