惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
月光博客
月光博客
雷峰网
雷峰网
WordPress大学
WordPress大学
博客园 - 司徒正美
Last Week in AI
Last Week in AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Visual Studio Blog
H
Help Net Security
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
Security @ Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
爱范儿
爱范儿
W
WeLiveSecurity
J
Java Code Geeks
Forbes - Security
Forbes - Security
H
Hacker News: Front Page
T
Threatpost
The Cloudflare Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
N
Netflix TechBlog - Medium
Latest news
Latest news
V2EX - 技术
V2EX - 技术
小众软件
小众软件
T
The Blog of Author Tim Ferriss
A
Arctic Wolf
B
Blog RSS Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
I
InfoQ
C
Check Point Blog
N
News | PayPal Newsroom
Cyberwarzone
Cyberwarzone
V
V2EX
TaoSecurity Blog
TaoSecurity Blog
P
Privacy & Cybersecurity Law Blog
Microsoft Security Blog
Microsoft Security Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
D
DataBreaches.Net
F
Fortinet All Blogs
阮一峰的网络日志
阮一峰的网络日志
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
IT之家
IT之家
K
Kaspersky official blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Google DeepMind News
Google DeepMind News
C
CXSECURITY Database RSS Feed - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com

www.infosecurity-magazine.com

Just Three Ransomware Gangs Accounted for 40% of Attacks Last Month Google Chrome Rolls Out Protection Against Infostealers Targeting Session Cookies STX RAT Targets Finance Sector With Advanced Stealth Tactics Bitcoin Depot Reports $3.6m Crypto Theft After System Breach Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings Middle East Hack-for-Hire Operation Traced to South Asian Cyber Espionage Group Governance Gaps Emerge as AI Agents Drive 76% Increase in NHIs Google Warns of New Threat Group Targeting BPOs and Helpdesks Google API Keys Quietly Gain Access to Gemini on Android Devices Critical Vulnerability in Ninja Forms Exposes WordPress Sites Anthropic Launches Project Glasswing to Use AI to Find and Fix Critical Software Vulnerabilities US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers Claude Discovers Apache ActiveMQ Bug Hidden for 13 Years Iran‑Backed Threat Actors Hit US CNI Providers via Internet‑Facing OT Assets Russian APT28 Hackers Hijack Routers to Steal Credentials, UK Security Agency Warns GPU Rowhammer Attack Enables Privilege Escalation and Full System Compromise GrafanaGhost Exploit Bypasses AI Guardrails for Silent Data Exfiltration Over $17bn Lost to Cyber Fraud in the Last Year, Warns FBI Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs New 'Storm' Infostealer Remotely Decrypts Stolen Credentials NCSC Issues Security Alert Over Hackers Targeting WhatsApp and Signal Accounts Apple Expands iOS 18 Security Updates Amid DarkSword Threat Researchers Observe Sub-One-Hour Ransomware Attacks GitHub Used as Covert Channel in Multi-Stage Malware Campaign Most CNI Firms Face Up to £5m in Downtime from OT Attacks Google Introduces Android Dev Verification Amid Openness Debate New Venom Stealer MaaS Platform Automates Continuous Data Theft Chinese Hackers Target European Governments in Espionage Campaigns Eight in 10 UK Manufacturers Hit by Cyber Incident in a Year Hackers Hijack Axios npm Package to Spread RATs Maryland Man Charged Over $53m Uranium Finance Crypto Hack Phantom Project Bundles Infostealer, Crypter and RAT For Sale ChatGPT Security Issue Enabled Data Theft via Single Prompt TeamPCP Explores Ways to Exploit Stolen Supply Chain Secrets Employee Data Breaches Surge to Seven-Year High NCSC Urges Immediate Patching of F5 BIG-IP Bug Cybercriminals Exploit Tax Season With New Phishing Tactics Lloyds IT Glitch Exposed Data of Nearly 500,000 Banking Customers DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection Critical Citrix NetScaler Vulnerability Exploited in the Wild ICO Fines UK Nuisance Call Scammers £100,000 European Commission Confirms Cloud Data Breach New Wave of AiTM Phishing Targets TikTok for Business TeamPCP Targets Telnyx Package in Latest PyPI Software Supply Chain Attack Quantum Computing Threat to Encryption Is Closer Than Expected, Warns Google UK Cracks Down on Chinese Crypto Marketplace for Funding Southeast Asia Scam Hubs Security Researchers Sound the Alarm on Vulnerabilities in AI-Generated Code Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts AI Becomes the Top Cybersecurity Priority for Defenders as Criminals Exploit It, PwC Warns OpenAI Expands Bug Bounty to Cover AI Abuse and 'Safety' Concerns Iran-Linked Pay2Key Ransomware Group Re-Emerges Invoice Fraud Costs UK Construction Sector Millions, NCA Warns Cloud Phones Linked to Rising Financial Fraud Threat Hackers Exploit Compromised Enterprise Identities at Industrial Scale, Warns SentinelOne US: FCC Bans Foreign-Made Routers Over National Security Concerns TeamPCP Expands Supply Chain Campaign With LiteLLM PyPI Compromise Experts Sound Alarm Over “Prompt Poaching” Browser Extensions Operation Henhouse Nets Over 500 Arrests in UK Fraud Crackdown RSA Conference: UK NCSC Head Urges Industry to Develop Vibe Coding Safeguards Silver Fox Cyber Campaigns Show Shift Toward Dual Espionage Citrix Urges Immediate Patching for Critical NetScaler Vulnerabilities New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware Former Ukrainian Foreign Minister Dmytro Kuleba to Address the New Cyber Frontline at Infosecurity Europe Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security Russian Initial Access Broker Handed 81-Month Sentence Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals Most Cybersecurity Staff Don’t Know How Fast They Could Stop a Cyber-Attack on AI Systems Tycoon2FA Phishing Service Resumes Activity Post-Takedown High-Tech Sector Overtakes Finance as Top Target for Cyber-Attacks, Mandiant Reports Trivy Supply Chain Attack Expands With New Compromised Docker Images CISA Orders US Government to Patch Maximum Severity Cisco Flaw Operation Alice Takes Down 370,000+ Dark Web Sites Hackers Exploit Critical Langflow Bug in Just 20 Hours NCA Boss Warns That Teens Are Being “Radicalized” Into Cybercrime Online Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation Financial Brands Targeted in Global Mobile Banking Malware Surge FCA Updates Cyber Incident and Third-Party Reporting Rules AWS Warns Hackers Have Abused Cisco Firewall Zero-Day Since January UK: Regulation Drives Cyber Spending for Critical Infrastructure Orgs New Ubuntu Flaw Enables Local Attackers to Gain Root Access Crypto Scam "ShieldGuard" Dismantled After Malware Discovery AI-Enabled Adversaries Compress Time-to-Exploit Following Vulnerability Disclosure AI Issues Will Drive Half of Incident Response Efforts by 2028, Says Gartner Android OS-Level Attack Bypasses Mobile Payment Security 'CursorJack’ Attack Path Exposes Code Execution Risk in AI Development Environment Surge in Nation State Attacks on UK Firms Amid Cyber Warfare Fears Average Number of Daily API Attacks Up 113% Annually Aeternum Botnet Shifts Command Control to Polygon Blockchain Leading Semiconductor Supplier Advantest Hit by Ransomware Attack Remcos RAT Expands Real-Time Surveillance Capabilities SMEs Wrong to Assume They Won’t Be Hit by Cyber-Attacks, NCSC Boss Warns Google Warns of In the Wild Exploit as It Patches New Chrome Zero Day Phorpiex Phishing Delivers Low-Noise Global Group Ransomware BridgePay Confirms Ransomware Attack, No Card Data Compromised New Hacking Campaign Exploits Microsoft Windows WinRAR Vulnerability Labyrinth Chollima Evolves into Three North Korean Hacking Groups Google Disrupts Extensive Residential Proxy Networks
Vidar Stealer 2.0 Exploits GitHub, Reddit to Deliver Malware via Fake Game Cheats
Kevin Poireault · 2026-03-18 · via www.infosecurity-magazine.com

Hundreds of GitHub repositories seemingly offering “free game cheats” deliver malware, including the Vidar infostealer, Acronis Threat Research Unit (TRU) has found.

While the identified malicious repositories already target “virtually every major online game title,” the security researchers estimate the true number “could be in the thousands”, they warned in a report published on March 17.

They also found Reddit posts mentioning and promoting a game cheat for Counter-Strike 2 leading to a fake website that encourages the user to download and install Vidar 2.0.

The campaigns delivering the infostealer start, like most typical cheat campaigns, in Discord chat rooms or Reddit communities dedicated to cheating in specific online games, said Acronis TRU.

“In their simplest form, campaigns take the shape of an offer for a ‘free’ cheating tool,” the researchers wrote.

The targeted users become “the perfect victims” as they are willingly looking for software that operates outside legitimate channels. Therefore, they expect the software to behave in ways that might trigger security warnings and they have strong incentive not to report any suspicious activity to authorities.

Moreover, the researchers noted that cheats typically require deep system access, making it easier for malicious actors to lure users into installing malware that bypasses traditional defenses.

GitHub Repository Distribution Chain

Several fake GitHub repositories identified by the researchers distribute the Vidar 2.0 infostealer variant masking as game cheats or hardware ID ban bypass software.

In this campaign, it lures the victim to download the software named TempSpoofer.exe, Monotone.exe or CFXBypass.exe.

These first-stage payloads, disguised as game cheats, are PowerShell scripts compiled into .NET executables using PS2EXE, allowing them to bypass basic script-based detections while appearing as legitimate applications.

The PowerShell loader then executes a multi-stage infection process:

  1. Defender evasion: adds an exclusion to Windows Defender for an attacker-controlled directory, preventing scanning of subsequent malicious payloads
  2. Command-and-control (C2) communication: retrieves a secondary payload URL from a hard-coded Pastebin link, which points to a GitHub-hosted executable
  3. Payload delivery: creates a hidden directory in %AppData%, adds it to Defender’s exclusion list, and downloads background.exe (a Themida-packed Vidar Stealer 2.0).
  4. Execution and privilege escalation: verifies the file’s integrity (MZ header check), hides it from the user, and attempts to elevate privileges via runas
  5. Persistence: establishes a scheduled task (SystemBackgroundUpdate) to run at logon with elevated privileges

The Vidar Stealer 2.0 payload then:

  • Creates a directory in %ProgramData% to store stolen data
  • Exfiltrates data to C2 servers masked via Telegram and Steam dead-drop resolvers (e.g., hxxps://telegram[.]me/bul33bt, hxxps://steamcommunity[.]com/profiles/76561198765046918)

Reddit Distribution Chain

In another campaign, attackers spread Vidar 2.0 through Reddit posts advertizing fake Counter-Strike 2 game cheats, redirecting victims to a malicious website that delivers EzFrags_Private.zip.

The archive contains a self-extracting (SFX) executable with an invalid digital signature, raising suspicion.

Upon execution, the loader extracts an embedded cabinet archive and runs a command to process Perfume.mdb, a script obfuscated with randomized variable names to hinder analysis.

The script then creates a directory (123043) and assembles Typically.com, a compiled AutoIt interpreter, by stitching together file fragments. It then builds the Vidar 2.0 payload from multiple .mdb files and executes it via AutoIt.

The final payload connects to the same C2 infrastructure seen in prior campaigns, suggesting the same threat actor or group is behind both operations.

Vidar 2.0: A Stealthier, More Powerful Infostealer

The real novelty in the campaigns detected by Acronis TRU is the delivery of Vidar 2.0.

Vidar is an infostealer capable of extracting browser credentials, cookies and autofill data, as well as Azure tokens, cryptocurrency wallets, FTP/SSH credentials, Telegram, Discord and local files.

According to the researchers, Vidar 2.0 represents a significant technical evolution from the first version of the infostealer, with enhanced capabilities including:

  • Polymorphic builds and multithreaded execution that improve speed and evade static detection
  • Advanced obfuscation, debugger detection, timing checks and virtual machine detection that hinder analysis
  • C2 infrastructure hidden via Telegram bots and Steam profiles as dead drop resolvers

“Taken together, these capabilities make Vidar 2.0 a powerful and stealthy threat, often completing its mission before victims are aware anything is wrong, and well before stolen data can be recovered or invalidated,” the researchers highlighted.

The latest version of the Vidar Sealer has risen in adoption after law enforcement actions against two of the most prominent infostealers, Lumma and Rhadamanthys.

“This demonstrates how enforcement action reshapes the threat landscape: criminal demand simply migrates, and defenders must remain vigilant and informed,” the researchers concluded.