Vidar Stealer Picks Up Steam!

Emerging Threats has observed an uptick in Vidar Stealer malware that abuses Steam user profiles to distribute C2 server configuration. Vidar Stealer is an information stealer that is either a fork or related to the Arkei information stealer. According to Checkpoint Vidar has become one of the top ten most prevalent malware families following a series of fake Zoom campaigns. Vidar’s goal is usually to steal sensitive information from infected hosts such as digital wallets and web browser information.

When the sample first executes it begins to profile the machine. In one of the first steps it queries api[.]2ip[.]ua to acquire the victim host’s public IP address.


The sample then sends a request to a telegram account to retrieve the initial C2 server address. The malware uses the following static user agent for this request.

Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0

Example GET Request

Telegram C2 Account

C2 Format '<random name> hxxp://<ip_address>|'

Once the C2 IP address is retrieved the sample performs a check-in and receives instructions on what data should be stolen.

C2 Instructions in Response

Once the instructions are received, the client will download a .zip containing several benign .dll’s that are used to harvest data from the host. Common names for the archive are:



Contents of

After the resources are downloaded, Vidar creates a .zip containing the stolen data which is then base64 encoded and exfiltrated via a POST request.

Exfiltration Traffic

Base64 Decoded Traffic Reveals Stolen Firefox History


Contents Of Exfiltrated .zip

Screen Shot Of The Victim Desktop Is Taken During Execution And Exfiltrated

In another sample a steam profile can be seen in the memory during execution. Upon reviewing the profile, there is another C2 address which is used for further exfiltration.

Steam Profile With C2 Server Address In Username

Additional Checkin And Exfil To C2 Server From Steam Profile

Here are a few steam profiles that have been used to host C2 server config.

  • Profile: hxxps://
  • C2: hxxp://78.47.225[.]61|

  • Profile: hxxps://
  • C2: hxxp://78.47.172[.]233|

  • Profile: hxxps://
  • C2: hxxp://78.46.238[.]118|

  • Profile: hxxps://
  • C2: hxxp://78.47.233[.]145|

  • Profile: hxxps://
  • C2: hxxp://142.132.169[.]161|

  • Profile: hxxps://
  • C2: hxxp://142.132.236[.]84|

After contacting Steam regarding this C2 distribution method, they’ve concluded that it is important for users to be able to share information via their profile and will not be taking action. As of 2023/01/18 all of the above steam profiles are still active after reporting the accounts for abuse.

Vidar Trojan Analysis, Malware Overview by ANY.RUN
September 2022’s Most Wanted Malware: Formbook on Top While Vidar ‘Zooms’ Seven Places - Check Point Software


## C2 IP Adresses ##

## Files (MD5) ##

## Telegram Accounts ##

## Steam Profiles ##

ET Vidar Signatures

ET MALWARE Arkei/Vidar/Mars Stealer Variant - 2036316
ET MALWARE Arkei/Vidar/Mars Stealer Variant CnC checkin commands - 2038523
ET MALWARE Arkei/Vidar/Mars Stealer Variant Data Exfiltration Attempt - 2038525
ET MALWARE Arkei/Vidar/Mars Stealer Variant DLL GET Request - 2038524
ET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI - 2035873
ET MALWARE Possible Vidar Stealer C2 Config In Steam Profile - 2043334
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil - 2029236
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern - 2034813
ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved - 2035911
ET MALWARE Vidar/Arkei Stealer Client Data Upload - 2025431
ET MALWARE Vidar Stealer CnC Domain in DNS Lookup - 2035872
ET MALWARE Vidar Stealer - FaceIt Checkin Response - 2033066
ET MALWARE Vidar Stealer IP Address in DNS Query Response - 2043248
ET MALWARE Vidar Stealer Payload Delivery Domain (audacitya .org) in DNS Lookup - 2040140
ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET) - 2036667
ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil - 2033163
ET MALWARE Win32/Vidar Variant/Mars Stealer Resources Download - 2036654
ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant CnC Response - 2853039
ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent Observed - 2853038
ETPRO MALWARE Arkei/Vidar Stealer Variant - Telegram Mirror Checkin - 2851826
ETPRO MALWARE Vidar/Arkei/Oski Variant Stealer POSTing Data to CnC - 2842708
ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Retrieving Payload - 2841407
ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information - 2841237
ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer Uploading System Information M2 - 2841406
1 Like