VANTAPRISM

Live Threat Pulse: 2,847 threats detected in last 24h

menu_book Malware Family

Vidar Stealer

Also known as: Vidar

Vidar is a long-running infostealer, derived from the older Arkei stealer, that collects browser credentials, cookies, cryptocurrency wallets, and files from Windows machines. It is known for using social-media profiles and other web pages to dynamically retrieve its command-and-control configuration.

What is Vidar Stealer?

Vidar is an infostealer that emerged from the Arkei malware lineage and has remained active for years under a malware-as-a-service model. It is valued by criminals for its modular configuration and its technique of hiding C2 server addresses inside legitimate web services.

How Vidar works

A distinctive Vidar trait is "dead drop resolving": rather than hard-coding its C2 address, Vidar reads it from attacker-controlled profiles on legitimate platforms (such as social-media bios). This makes the malware resilient to takedowns and harder to block by static indicators. Once it has its configuration, Vidar collects browser data, cookies, wallets, and targeted files, then exfiltrates them as a stealer log.

Why Vidar matters

Vidar is frequently used as a loader stage as well as a stealer, sometimes dropping additional payloads including ransomware. Its longevity and adaptable C2 strategy keep it a recurring presence in the stealer-log supply chain.

How VantaPrism Tracks Vidar Stealer

VantaPrism parses Vidar stealer logs collected from monitored distribution channels, attributing compromised credentials and cookies to the Vidar family so analysts can prioritise response based on the malware involved.

Check Your Exposure arrow_forward

Frequently Asked Questions

Is Vidar related to other malware?

expand_more
Vidar descends from the older Arkei stealer and shares code lineage with it. It is also commonly observed alongside loaders and as a precursor to other payloads.

How does Vidar hide its command-and-control servers?

expand_more
Vidar often uses "dead drop resolving," reading its C2 address from attacker-controlled profiles on legitimate websites rather than hard-coding it, which complicates takedowns and static blocking.

Related Terms

Infostealer Malware arrow_outward

Infostealer malware is a category of malicious software designed to silently harvest sensitive data — passwords, sess…
Stealer Logs arrow_outward

A stealer log is the package of data exfiltrated from a single device by infostealer malware. It typically contains s…
RedLine Stealer arrow_outward

RedLine Stealer is an information-stealing malware (infostealer) sold as malware-as-a-service that harvests saved bro…
Lumma Stealer (LummaC2) arrow_outward

Lumma Stealer (LummaC2) is a malware-as-a-service infostealer that steals browser credentials, cookies, cryptocurrenc…
Compromised Credentials arrow_outward

Compromised credentials are usernames and passwords that have been exposed to unauthorized parties — frequently throu…
← All Glossary Terms Last reviewed: June 2026