All news with #vidar tag

Vidar Infostealer Delivered Through Malicious npm Packages

🔒 Datadog Security researchers found 17 npm packages (23 releases) that used a postinstall downloader to execute the Vidar infostealer on Windows systems. The trojanized modules masqueraded as Telegram bot helpers, icon libraries, and forks of libraries like Cursor and React, and were available for about two weeks with at least 2,240 downloads before the accounts were banned. Organizations should adopt SBOMs, SCA, internal registries, add ignore-scripts policies, and enable real-time package scanning to reduce supply chain risk.

Vidar 2.0 Emerges as Lumma Stealer Declines, Upgraded

🔒 Trend Micro reports that the Vidar infostealer has been upgraded to Vidar 2.0, featuring a complete rewrite in C, multithreaded exfiltration, custom browser credential extraction and an AppBound bypass targeting Chrome's app-bound encryption. The release, announced by an actor calling themselves "Loadbaks" on October 6, follows a decline in Lumma Stealer activity after law enforcement disruption and doxxing of its developers. Researchers warn security teams to anticipate increased Vidar activity through Q4 2025 and to adapt detection and mitigation strategies accordingly.

Vidar Stealer 2.0 Rewritten in C with Multi-Threading

🛡️ Vidar Stealer 2.0 was released with a complete rewrite in C, multi-threaded data theft and stronger evasion, prompting warnings from security researchers about likely increased campaigns. The update reduces dependencies and footprint while spawning parallel worker threads to accelerate harvesting of browser, wallet, cloud and app credentials. It introduces extensive anti-analysis checks and a polymorphic builder to frustrate static detection. Notably, the malware injects into running browser processes to extract encryption keys from memory and bypass Chrome's App-Bound protections.

UNC5142 EtherHiding: Smart-Contract Malware Distribution

🔐 Since late 2023, Mandiant and the Google Threat Intelligence Group tracked UNC5142, a financially motivated cluster that compromises vulnerable WordPress sites to distribute information stealers. The actor's CLEARSHORT JavaScript loader uses Web3 to query smart contracts on the BNB Smart Chain that store ABIs, encrypted landing pages, AES keys, and payload pointers. By employing a three-contract Router-Logic-Storage design and abusing legitimate hosting (Cloudflare Pages, GitHub, MediaFire), operators can rotate lures and update payload references on-chain without changing injected scripts, enabling resilient, low-cost campaigns that GTIG found on ~14,000 injected pages by June 2025 and which showed no on-chain updates after July 23, 2025.