A threat actor is blasting out phishing emails disguised as job applications and copyright complaints to spread Vidar, a long-running information stealer that quietly harvests passwords, browser data, and cryptocurrency wallets. Researchers at AhnLab Security Intelligence Center (ASEC) have tracked the campaign against South Korean targets through the first half of 2026 and believe a single operator is behind it, churning out fresh variants every few days to stay ahead of detection.
The lure files carry names like "Positive and Responsible Applicant Resume" and "Summary of Copyright Provisions and Infringement Details", and they wear a Microsoft Word document icon to look harmless. In reality each is an executable wrapped in a packer written in the Go programming language. When opened, the packer decrypts and runs the real Vidar payload directly in memory, a trick that helps it slip past scanners that only inspect files on disk.
Hiding in plain sight on Steam and Telegram
Vidar's most notable trait is how it finds its command-and-control (C2) server. Rather than hard-coding an address that defenders could block, it uses a Dead Drop Resolver technique: the operator posts the current C2 address inside a Telegram channel and on Steam community profile pages, and the malware reads those public profiles to fetch it. Vidar looks for a marker string, "ar3k0", and treats whatever follows as the live server address. In a June 2026 sample, the malware checked a Telegram profile first and fell back to a Steam profile if it came up empty.
Once it phones home, Vidar pulls a JSON configuration and gets to work. It steals saved logins and cookies from Chromium and Firefox browsers, browsing history, autofill and payment data, cryptocurrency wallet files and browser wallet extensions, Discord and Telegram session data, Steam credentials, Azure access tokens, and FileZilla and WinSCP FTP passwords. It also grabs a screenshot and a system information file, then sweeps up any documents matching its grabber rules. Vidar, sold under a malware-as-a-service model since 2018, remains a staple of the stealer scene, a threat we recently saw pushed through fake free software promoted on TikTok.
What to watch for
ASEC notes the samples ship with anti-analysis defenses, checking for virtual machines, sandboxes, and debuggers before running. The best defense is caution with unsolicited attachments, especially executables masquerading as documents, and keeping endpoint protection current. Selected defanged indicators from the campaign:
- C2 server: 107[.]189[.]24[.]190 (hxxp://107[.]189[.]24[.]190/)
- Dead drop profile example: hxxps://steamcommunity[.]com/profiles/76561198694626397
- Distribution domains: ctl[.]it-bd[.]com, gor[.]emiraride[.]com, gre[.]syslicense[.]net, lat[.]sodstreams[.]com
- Sample MD5: 0b8af4afd26175ba818c0fdb4622bf14, 2fba9ec34fdf4b1584dd9c69b9ec9393
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.