A sophisticated information-stealing malware known as Vidar Stealer has undergone a complete architectural transformation with the release of version 2.0, introducing advanced capabilities that enable it to bypass Chrome’s latest security protections through direct memory injection techniques.
Released on October 6, 2025, by its developer “Loadbaks” on underground forums, this new iteration features a complete rewrite from C++ to pure C, implementing a multithreaded architecture that significantly enhances its data exfiltration speed and evasion capabilities.
The timing of Vidar 2.0’s emergence coincides with a notable decline in Lumma Stealer activity, positioning Vidar as a potential successor in the information stealer ecosystem.
Priced at $300 for lifetime access, the malware offers cybercriminals a cost-effective yet powerful toolset capable of systematically targeting credentials from browsers, cryptocurrency wallets, cloud services, gaming platforms, and communication applications including Discord and Telegram.
The malware’s enhanced anti-analysis measures and sophisticated credential extraction methods represent a concerning evolution in the information stealer threat landscape.
.webp "Vidar Stealer Bypassing Browser Security Via Direct Memory Injection to Steal Login Credentials 2")
Vidar originally emerged in 2018 on Russian-language underground forums, initially leveraging the Arkei stealer source code.
Over the years, it has distinguished itself from competitors like Raccoon and RedLine through consistent updates supporting new browsers, wallets, and two-factor authentication applications.
Trend Micro analysts identified that the latest version introduces four significant architectural changes: a complete C language rewrite for enhanced stability and speed, a multithreaded system that dynamically scales based on victim computer specifications, advanced browser credential extraction capabilities, and an automatic polymorphic builder that generates unique binary signatures for each build.
The multithreaded architecture represents one of Vidar 2.0’s most significant enhancements, allowing the malware to perform data collection tasks across multiple parallel threads.
This system automatically adjusts performance by creating more worker threads on powerful systems and fewer threads on weaker machines, ensuring optimal operation without overwhelming the target.
The parallel processing significantly reduces the time the malware needs to remain active on compromised systems, making detection and intervention by security software substantially more challenging.
Chrome AppBound Encryption Bypass Through Memory Injection
Vidar 2.0’s most notable technical achievement involves its capability to bypass Chrome’s AppBound encryption protections through sophisticated memory injection techniques.
According to the developer, the malware has “implemented unique appBound methods that aren’t found in the public domain,” specifically targeting Chrome’s enhanced security measures designed to prevent unauthorized credential extraction by binding encryption keys to specific applications.
This represents a direct challenge to Chrome’s latest security enhancements aimed at protecting user credentials from information stealers.
The malware employs a tiered approach to browser credential extraction, initially attempting traditional methods such as systematic enumeration of browser profiles and extraction of encryption keys from Local State files using standard DPAPI decryption.
When these conventional techniques fail against Chrome’s AppBound encryption, Vidar 2.0 escalates to an advanced technique that launches target browsers with debugging enabled and injects malicious code directly into running browser processes using either shellcode or reflective DLL injection.
.webp "Vidar Stealer Bypassing Browser Security Via Direct Memory Injection to Steal Login Credentials 4")
The injected payload operates entirely within browser memory, extracting encryption keys directly from the active process address space rather than attempting to decrypt them from storage.
This memory-based approach effectively circumvents Chrome’s AppBound encryption because it steals keys that are already decrypted and in use by the legitimate browser process.
The stolen encryption keys are then communicated back to the main malware process via named pipes, a technique that avoids creating disk artifacts that could be detected by forensic analysis or security software.
This dual-pronged extraction strategy targeting both traditional browser storage methods and Chrome’s latest protections across multiple browser platforms including Chrome, Firefox, Edge, and other Chromium-based browsers demonstrates the malware’s comprehensive approach to credential theft.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
