This article was originally published on ThreatChain — decentralized threat intelligence.
An info-stealer that doubles as a loader. Full breakdown inside.
Last Tuesday, a freelance graphic designer in Ohio downloaded what she thought was a cracked version of a popular video editing tool. Within 90 seconds — before she even noticed the installer hadn't actually opened anything — her saved browser passwords, her crypto wallet seed phrase, her autofill credit card numbers, and a folder of client contracts had been quietly zipped up and sent to a server halfway around the world. She didn't get a ransom note. She didn't see a scary skull on her screen. She had no idea anything happened until her bank called three days later.
This is what Vidar does. And a fresh sample just surfaced that shows the malware is evolving in ways that make it harder to catch.
What Is Vidar, Exactly?
Vidar is an information stealer — a type of malware whose entire job is to grab your personal data and send it to an attacker as fast as possible, then disappear. Think of it less like a burglar who moves into your house, and more like a pickpocket on a crowded subway. Quick hands, gone before you notice, and by the time you check your pockets it's too late.
Specifically, Vidar hunts for:
- Passwords saved in your browser (Chrome, Firefox, Edge — all of them)
- Credit card numbers stored in autofill
- Cryptocurrency wallets (Bitcoin, Ethereum, and dozens of others)
- Two-factor authentication data — those backup codes and authenticator app databases
- Files on your desktop that match certain patterns (documents, text files, key files)
- Screenshots of what's on your screen at the moment of infection
It collects everything into a neat package, uploads it to the attacker's server, and then often deletes itself. The whole operation can take under a minute.
This Specific Sample: What We Know
ThreatChain flagged a new Vidar sample on April 6, 2026. Here's what makes it interesting:
The file itself is a Windows executable (an .exe file), about 1.9 megabytes — small enough to download in a blink. It arrived with a generic filename simply called "file," which is common when malware is delivered as a secondary payload — something that another piece of malicious software drops onto your machine after you're already compromised.
It was delivered by GCleaner, a known malware dropper that pretends to be a system optimization or "PC cleaner" tool. You know those ads that say "Your PC is slow! Download this free tool to speed it up!"? That's GCleaner's hunting ground. Once you install GCleaner thinking it'll help your computer, it quietly downloads Vidar (and potentially other malware) in the background.
It's digitally signed. This is the worrying part. Digital signatures are supposed to be a trust signal — like a seal on a letter saying "this really came from who it says it came from." Attackers increasingly steal or buy code-signing certificates to make their malware look legitimate. When software is signed, Windows is less likely to flag it, and so are some security tools.
Detection is still low. When this sample was scanned against 76 different antivirus engines, only 14 flagged it as malicious — that's less than 19%. Meaning the majority of security tools would have let it through without a peep. Kaspersky, ANY.RUN, and FileScan.IO caught it. Many others didn't.
It uses Telegram for command-and-control. Instead of communicating with a suspicious-looking server (which security tools might block), this variant uses Telegram — the popular messaging app — as its remote control channel. The attacker posts instructions to a Telegram channel, and the malware reads them. Since Telegram traffic looks normal and is encrypted, this is fiendishly clever. It's like a spy receiving orders through a public bulletin board that everyone uses — nobody thinks twice about the traffic.
It actively fights analysis. The sample includes multiple anti-debugging techniques — essentially, it checks whether it's being watched. If the malware detects it's running inside a security researcher's sandbox or virtual machine, it changes behavior or shuts down entirely. It's the digital equivalent of a shoplifter who cases a store for cameras before pocketing anything.
Who Should Care?
If you use a Windows computer and have ever:
- Downloaded free or cracked software
- Used a "PC optimization" tool you found through an ad
- Saved passwords in your browser (be honest — most of us have)
- Stored cryptocurrency wallet files on your computer
...then you're squarely in Vidar's crosshairs.
Small businesses are especially vulnerable. A single employee downloading a "free PDF converter" on a work machine can expose the company's saved credentials, client data, and financial information. Vidar doesn't discriminate between personal and business data — it takes everything it can find.
What Happens After Your Data Is Stolen?
Vidar operators don't usually use your data themselves. They sell it in bulk on dark web marketplaces. Your stolen credentials become part of a massive bundle sold for a few dollars. Buyers then use those credentials to:
- Drain bank accounts and crypto wallets
- Take over email and social media accounts
- Commit identity fraud
- Launch further attacks against your employer or clients
The designer in Ohio? Her stolen browser passwords included her login to a client's WordPress site. Within a week, that site was defaced and injecting malware onto its visitors. One infection cascaded outward.
How to Protect Yourself
You don't need an enterprise security team to defend against Vidar. Here are five concrete things you can do this week:
Stop saving passwords in your browser. Use a dedicated password manager like Bitwarden or 1Password instead. Browsers store passwords in ways that Vidar (and many other stealers) can extract trivially. A password manager encrypts them separately.
Never download "cracked" or "free" versions of paid software. This is the number-one delivery method for stealers like Vidar. If you need a tool and can't afford it, look for a legitimate open-source alternative. The "free" cracked copy will cost you far more.
Be deeply skeptical of PC cleaner and optimizer tools, especially ones promoted through web ads. Legitimate tools exist, but they don't need pop-up ads to find you.
Keep Windows and your antivirus updated. Yes, this sample evades many antivirus tools today. But detection rates improve quickly once samples are flagged. Running outdated definitions means you're missing even the threats that have been caught.
Move cryptocurrency wallets to hardware wallets or at minimum move seed phrases offline. A piece of paper in a safe is unhackable. A text file on your desktop is the first thing Vidar grabs.
The Technical Details (For Those Who Want Them)
| Detail | Value |
|---|---|
| SHA-256 | 6d557467cdb0b20561acab3c95707230dded7798732430d9aff2b9c7f885ae0c |
| File Type | Win32 PE32+ executable (64-bit, GUI) |
| File Size | ~1.9 MB |
| Family | Vidar (information stealer) |
| Delivery | Dropped by GCleaner |
| Signing | Digitally signed (likely stolen/purchased certificate) |
| C2 Channel | Telegram-based communication |
| Detection Rate | 14 out of 76 engines (as of first scan) |
| First Seen | April 6, 2026 |
If you're an IT admin or security professional, this sample's YARA detections include command-and-control signatures, multiple debugger evasion checks, and encrypted variant detection patterns. The Golang-related tags and method signatures suggest parts of the payload or its dropper are written in Go — a language attackers increasingly favor because it compiles into large, noisy binaries that can overwhelm some analysis tools.
Vidar isn't flashy. It doesn't lock your screen. It doesn't make demands. It just takes what it wants and leaves. That's what makes it so effective — and why it keeps showing up, year after year, in new disguises.
The best defense isn't expensive software. It's skepticism. That free download, that PC optimizer ad, that email attachment you weren't expecting — pause before you click. Your future self will thank you.
Top comments (0)