Select Page

The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi.

“Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia,” cybersecurity company Team Cymru said in a new analysis shared with The Hacker News.

Vidar is a commercial information stealer that’s known to be active since late 2018. It’s also a fork of another stealer malware called Arkei and is offered for sale between $130 and $750 depending on the subscription tier.

Typically delivered through phishing campaigns and sites advertising cracked software, the malware comes with a wide range of capabilities to harvest sensitive information from infected hosts. Vidar has also been observed to be distributed via rogue Google Ads and a malware loader dubbed Bumblebee.

images from Hacker News