Vidar infostealer evolves, uses image files for stealthy attacks

Per HackRead, hackers are embedding malicious code within everyday files like JPEG images and text documents to deploy a new version of the Vidar infostealer. The malware has transformed from a simple password stealer into an adaptable attack framework utilizing a multi-stage infection chain.The latest Vidar campaign leverages social engineering, exploiting a recent Claude Code leak by setting up fake GitHub repositories. Developers are lured into downloading trojanized versions of the tool. Attackers also use Reddit, Discord, and compromised WordPress sites to trick users into running malicious commands disguised as game cheats or CAPTCHA verifications.The infection chain begins with VBScript and PowerShell, leading to a Go-compiled loader. The malware uses steganography to hide Base64-encoded data within seemingly normal JPEG and TXT files, reconstructing the Vidar payload in memory. It employs living-off-the-land techniques, abusing Windows binaries like WScript and PowerShell for stealth. This fileless approach evades most security scanners.The infostealer targets credentials, crypto wallets, and session data from over 200 browser extensions, exfiltrating the stolen information via Telegram and Cloudflare-fronted domains to conceal attacker activity.Source:HackRead