Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities

    Tuesday, November 11, 2025 In: Threat Research Print

    Date: 11/11/2025

    Severity: High

    Summary

    On October 6, 2025, the developer “Loadbaks” released Vidar Stealer v2.0 on underground forums. The malware was rewritten entirely in C, improving speed and efficiency through a multithreaded architecture. Its launch coincided with a decline in Lumma Stealer activity, driving threat actors toward Vidar and StealC. Vidar 2.0 introduced enhanced credential extraction, bypassing Chrome’s AppBound encryption via memory injection. It now exfiltrates data more efficiently while evading detection more effectively. Targets include browsers, cloud services, crypto wallets, gaming accounts, and messaging apps like Discord and Telegram.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    https://telegram.me/ahnadar

    https://steamcommunity.com/profiles/76561198780411257

    Hash : 

    0e90c63363265f75f8637c1a3e9ec277a1ea1a8436dd7561fff59cfb722c6612

    1230f3382910e84d542d64e859fb3064958b47bc50508045cbb5b597b987c65b

    12934992bb65953861b4dfd7a67d3256eae8da19ee86609aa29b68fb77258e98

    1eff512c9b003b08464e071774bd85e43464cce6ad1373463b1f67683d03b956

    288ecc39cdde51783dbb171758ec760652bb929ad17d239a43629449a22429c1

    29b6a1c08e96ce714f9e1f54a4edde3f5e6b41477db5f89f1bd41d931508bdbf

    37d62d7983f7e0012f88e81ba28ad02a839b4d8804851a401b19058ca8cc2cf4

    3dc09740ded920e5899a5386c6731de0c89d6bd182fb89073e910b619980899f

    5f68157e486413ab276fad629d7af21a53b399c5fa8b1a0cfbd37851ceca0381

    8934056f93516a33c4e9eeb2f50aea160860cf229ca6f6ec302bd2c404ebfe59

    95368954efa9618c586bdd8978f41f465450caf268d07ca316cf6975f6e15848

    bcf8a6911bf4033cf4d55caf22d7da9d97275bbb3b0f8fefd1129e86bd4b49f8

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    domainname like "https://telegram.me/ahnadar" or url like "https://telegram.me/ahnadar" or siteurl like "https://telegram.me/ahnadar" or domainname like "https://steamcommunity.com/profiles/76561198780411257" or url like "https://steamcommunity.com/profiles/76561198780411257" or siteurl like "https://steamcommunity.com/profiles/76561198780411257"

    Detection Query 2 :

    sha256hash IN ("1230f3382910e84d542d64e859fb3064958b47bc50508045cbb5b597b987c65b","0e90c63363265f75f8637c1a3e9ec277a1ea1a8436dd7561fff59cfb722c6612","bcf8a6911bf4033cf4d55caf22d7da9d97275bbb3b0f8fefd1129e86bd4b49f8","8934056f93516a33c4e9eeb2f50aea160860cf229ca6f6ec302bd2c404ebfe59","12934992bb65953861b4dfd7a67d3256eae8da19ee86609aa29b68fb77258e98","37d62d7983f7e0012f88e81ba28ad02a839b4d8804851a401b19058ca8cc2cf4","1eff512c9b003b08464e071774bd85e43464cce6ad1373463b1f67683d03b956","3dc09740ded920e5899a5386c6731de0c89d6bd182fb89073e910b619980899f","5f68157e486413ab276fad629d7af21a53b399c5fa8b1a0cfbd37851ceca0381","288ecc39cdde51783dbb171758ec760652bb929ad17d239a43629449a22429c1","29b6a1c08e96ce714f9e1f54a4edde3f5e6b41477db5f89f1bd41d931508bdbf","95368954efa9618c586bdd8978f41f465450caf268d07ca316cf6975f6e15848")

    Reference:    

    https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html


    Tags

    MalwareLoadbaksVidar Stealer v2.0InfostealerLummaSTEALCCrypto walletsDiscordTelegramGaming

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.