A new report released today by secure access service edge provider Aryaka Networks Inc. is warning of the growing threat from Vidar, a malware-as-a-service infostealer that has surged in prominence since first appearing in 2018.

Vidar entered the malware scene as a spinoff from the Arkei family of malware, before evolving today into a more powerful, standalone platform with modular architecture and plugin support. Its growing popularity in the cybercriminal community in 2025 is said in the report to be due to its ease of deployment, which allows even low-skilled actors to carry out credential theft and data exfiltration campaigns targeting individuals and enterprises alike.

It’s primarily distributed through phishing emails, drive-by downloads and malvertising campaigns disguised as legitimate software updates. The campaigns are intentionally designed to blend into everyday interactions and hence trick users.

Once deployed, Vidar harvests a wide range of data, including browser cookies, credentials and credit card details to cryptocurrency wallets, two-factor authentication app data and authentication tokens from messaging and gaming platforms.

Vidar is powered by a PowerShell script that can steal data from a remote server through the use of stealth techniques such as randomized filenames and spoofed user agents. The script also disables Microsoft’s Antimalware Scan Interface, sets Windows Defender exclusions and creates scheduled tasks to ensure persistence.

Once running, Vidar injects into trusted processes such as msbuild.exe and hijacks the CryptProtectMemory application programming interface to intercept sensitive browser data before encryption. Command-and-control infrastructure is dynamically retrieved through a dead drop resolver method that uses Telegram and Steam profiles, making detection even harder.

Aryaka researchers note that Vidar’s layered approach, which includes Antimalware Scan Interface bypasses, process injection, API hooking and Transport Layer Security-encrypted exfiltration, allows it to evade both signature-based and behavioral defenses. Thrown into the mix is an ability to intercept credentials before encryption along with being able to dynamically hide infrastructure, which adds to its persistence and makes it a serious tool for financially motivated cybercrime.

The report recommends that to protect against malware such as Vidar, enterprises should adopt a layered defense strategy. Ideally that includes secure access service edge deployments with multiple checkpoints, including DNS filtering, secure web gateways, application-aware firewalls, intrusion detection and endpoint controls.

Image: SiliconANGLE/Reve