Vidar Stealer 2.0 has been released, and the updated infostealer claims to offer improved performance with advanced credential stealing and evasion abilities, features that will necessitate even greater vigilance on the part of security teams.
Vidar is already one of the top infostealers, and the recent decline of Lumma will likely make the infostealer even more active in the coming months.
Vidar Stealer 2.0: Rewritten for More Efficient Credential Theft
A Vidar developer who goes by “Loadbaks” announced the release of Vidar Stealer 2.0 on underground forums earlier this month. Loadbaks claimed that rewriting the software in C “gave a huge increase in stability and speed” by eliminating C++ dependencies and runtime overhead.
In a new technical analysis of the malware, Trend Micro Threats Analyst Junestherry Dela Cruz said the new version is built on “a complete transition from C++ to a pure C implementation” for greater performance and efficiency.
Vidar 2.0 introduces “a range of concerning features, including advanced anti-analysis measures, multithreaded data theft capabilities, and sophisticated methods for extracting browser credentials,” Dela Cruz said. “With a consistent price point of US$300, it offers attackers powerful tools that are both cost-effective and efficient.”
Throughout its seven-year history, Vidar has distanced itself from competitors like Raccoon and RedLine by adding support for new features and earning a reputation for reliable support, the threat researcher said. The latest version adds even more distance between Vidar and competitors.
Multithreaded Architecture Means Faster Theft, Less Detection Time
The malware’s multithreaded architecture allows for more efficient use of multi-core processors. The Vidar developer claims that performing data collection tasks in parallel threads greatly speeds up data collection and exfiltration.
Dela Cruz said Trend’s analysis shows that the malware employs “an advanced multi-threading system that automatically adjusts its performance based on the victim’s computer specifications. It scales its operations by creating more worker threads on powerful systems and fewer threads on weaker machines, ensuring optimal performance without overwhelming the target system. This approach allows the malware to steal data from multiple sources simultaneously – such as browsers, cryptocurrency wallets, and files – rather than processing them one at a time.”
In addition to stealing from multiple sources simultaneously, the parallel processing feature also reduces the time the malware needs to remain active on the system, “making it harder for security software to detect and stop the theft operation,” Dela Cruz said.
Vidar 2.0 Claims to Bypass Chrome AppBound Security
Loadbaks, the Vidar developer, also claimed that Vidar 2.0 has “unique” methods for bypassing Chrome’s AppBound encryption that prevents credential extraction by binding encryption keys to specific applications.
Dela Cruz said binary analysis shows that Vidar 2.0 “implements comprehensive browser credential extraction capabilities targeting both traditional browser storage methods and Chrome’s latest security protections across multiple browser platforms.”
The malware uses a tiered approach that includes “systematic enumeration of browser profiles” and attempts to extract encryption keys from Local State files using standard DPAPI decryption, the researcher said.
Vidar 2.0 can also launch browsers with debugging enabled and inject malicious code into running browser processes via shellcode or reflective DLL injection.
“The injected payload extracts encryption keys directly from browser memory, then communicates the stolen keys back to the main malware process via named pipes to avoid disk artifacts,” Dela Cruz wrote. “This approach can bypass Chrome’s AppBound encryption protections by stealing keys from active memory rather than attempting to decrypt them from storage.”
Polymorphic Builder Boosts Evasion Techniques
Vidar 2.0 also claims to include an automatic polymorphic builder “so every build is now unique,” Loadbaks said, with distinct binary signatures that make static detection more difficult.
Dela Cruz said the updated malware “employs heavy use of control flow flattening, implementing complex switch-case structures with numeric state machines that can make reverse engineering more difficult. This obfuscation method transforms the natural program flow into a series of state transitions controlled by switch statements, effectively obscuring the original program logic.”
The researcher said the control flow flattening technique has also been seen in Lumma samples, “suggesting the adoption of similar obfuscation frameworks within the information stealer ecosystem.”
“The malware’s technical capabilities, proven developer track record since 2018, and competitive pricing position it as a likely successor to Lumma Stealer’s dominant market position,” Dela Cruz concluded.
