























Hundreds of GitHub repositories seemingly offering “free game cheats” deliver malware, including the Vidar infostealer, Acronis Threat Research Unit (TRU) has found.
While the identified malicious repositories already target “virtually every major online game title,” the security researchers estimate the true number “could be in the thousands”, they warned in a report published on March 17.
They also found Reddit posts mentioning and promoting a game cheat for Counter-Strike 2 leading to a fake website that encourages the user to download and install Vidar 2.0.
The campaigns delivering the infostealer start, like most typical cheat campaigns, in Discord chat rooms or Reddit communities dedicated to cheating in specific online games, said Acronis TRU.
“In their simplest form, campaigns take the shape of an offer for a ‘free’ cheating tool,” the researchers wrote.
The targeted users become “the perfect victims” as they are willingly looking for software that operates outside legitimate channels. Therefore, they expect the software to behave in ways that might trigger security warnings and they have strong incentive not to report any suspicious activity to authorities.
Moreover, the researchers noted that cheats typically require deep system access, making it easier for malicious actors to lure users into installing malware that bypasses traditional defenses.
Several fake GitHub repositories identified by the researchers distribute the Vidar 2.0 infostealer variant masking as game cheats or hardware ID ban bypass software.
In this campaign, it lures the victim to download the software named TempSpoofer.exe, Monotone.exe or CFXBypass.exe.
These first-stage payloads, disguised as game cheats, are PowerShell scripts compiled into .NET executables using PS2EXE, allowing them to bypass basic script-based detections while appearing as legitimate applications.
The PowerShell loader then executes a multi-stage infection process:
The Vidar Stealer 2.0 payload then:
In another campaign, attackers spread Vidar 2.0 through Reddit posts advertizing fake Counter-Strike 2 game cheats, redirecting victims to a malicious website that delivers EzFrags_Private.zip.
The archive contains a self-extracting (SFX) executable with an invalid digital signature, raising suspicion.
Upon execution, the loader extracts an embedded cabinet archive and runs a command to process Perfume.mdb, a script obfuscated with randomized variable names to hinder analysis.
The script then creates a directory (123043) and assembles Typically.com, a compiled AutoIt interpreter, by stitching together file fragments. It then builds the Vidar 2.0 payload from multiple .mdb files and executes it via AutoIt.
The final payload connects to the same C2 infrastructure seen in prior campaigns, suggesting the same threat actor or group is behind both operations.
The real novelty in the campaigns detected by Acronis TRU is the delivery of Vidar 2.0.
Vidar is an infostealer capable of extracting browser credentials, cookies and autofill data, as well as Azure tokens, cryptocurrency wallets, FTP/SSH credentials, Telegram, Discord and local files.
According to the researchers, Vidar 2.0 represents a significant technical evolution from the first version of the infostealer, with enhanced capabilities including:
“Taken together, these capabilities make Vidar 2.0 a powerful and stealthy threat, often completing its mission before victims are aware anything is wrong, and well before stolen data can be recovered or invalidated,” the researchers highlighted.
The latest version of the Vidar Sealer has risen in adoption after law enforcement actions against two of the most prominent infostealers, Lumma and Rhadamanthys.
“This demonstrates how enforcement action reshapes the threat landscape: criminal demand simply migrates, and defenders must remain vigilant and informed,” the researchers concluded.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。