Vidar

Vidar is an information stealer forked from the Arkei stealer codebase in late 2018, sold on Russian-speaking forums by a developer known as "Loadbaks". Pricing runs from $130 to $750 depending on subscription length. It shares its Arkei lineage with Mars Stealer and Lumma Stealer, and its C2 protocol was later copied directly by StealC.

The stealer uses a two-stage dead drop resolver for C2 communication. Hardcoded URLs point to legitimate social media profiles on Telegram, Steam Community, Mastodon, and TikTok, where the real C2 IP is embedded in the profile's name or description field. Once resolved, communication runs over standard HTTP/HTTPS -- an initial GET fetches the steal configuration, then collected data is packaged into a ZIP archive and exfiltrated via multipart form POST. C2 domains rotate roughly every four days.

Vidar targets browser credentials, cookies, and autofill data from Chrome and Firefox-based browsers, cryptocurrency wallets, 2FA application data, email client credentials (Outlook, Thunderbird), Telegram and Discord sessions, and Steam tokens. Version 2.0, released in October 2025, was rewritten from C++ to pure C with a multithreaded collection architecture and control flow flattening applied across all 274 functions. It also bypasses Chrome's AppBound encryption by launching browsers with debugging enabled and injecting into process memory.

Delivery leans on malvertising through Google Ads impersonating legitimate software, SEO poisoning via fake cracked software catalogs, and pay-per-install networks like PrivateLoader and SmokeLoader. A notable February 2025 incident involved Vidar distributed through PirateFi, a game published on Steam that infected roughly 1,500 users before removal. Vidar 2.0's release coincided with the Lumma Stealer takedown in May 2025, positioning it to absorb displaced customers.