Researchers have identified that the Vidar information-stealing malware has re-emerged with a new and enhanced attack campaign. According to the findings, Vidar, a long-active information stealer observed in circulation since late 2018 has once again been detected targeting more than just passwords. This time, the malware focuses on browser data, session cookies, cryptocurrency wallet files and other sensitive system information.
Technical analysis conducted by specialists indicates that the attacks are executed through a multi-stage infection chain, enabling the malware to bypass modern security defenses. Within this chain, a file named “MicrosoftToolkit.exe” is used as the initial execution point. Subsequently, a series of scripts are executed on the system, additional components are downloaded and the Vidar payload is eventually activated. Once operational, the malware collects user data stored in browsers, session cookies and cryptocurrency wallet information and exfiltrates it to remote servers. At the same time, the malware conceals its communication by leveraging legitimate services such as Telegram and Steam to mask its traffic.
According to expert assessments, after execution Vidar employs mechanisms aimed at minimizing its footprint on the system, including file deletion, process termination and detection of analysis environments.
Experts recommend that affected systems be immediately isolated from the network, all credentials be reset, active sessions be terminated and multi-factor authentication be enforced. Additionally, a full system reinstallation and continuous network traffic monitoring are considered essential measures.
12 May 2026
08 May 2026
07 May 2026
05 May 2026
01 May 2026
01 May 2026
30 April 2026
29 April 2026
© 2011-2026 All rights reserved
