Vidar Stealer 2.0 Exploits GitHub, Reddit to Deliver Malware via Fake Game Cheats
Acronis Threat Research Unit has uncovered a widespread campaign using hundreds of GitHub repositories and Reddit posts to distribute the Vidar 2.0 infostealer disguised as free game cheats.
Acronis Threat Research Unit (TRU) has identified a large-scale malware distribution campaign that leverages hundreds of GitHub repositories and Reddit posts to deliver the Vidar 2.0 infostealer, disguised as free game cheats for titles like Counter-Strike 2. The researchers estimate the true number of malicious repositories could be in the thousands, targeting virtually every major online game title. The campaign exploits the willingness of users seeking cheat software to bypass security warnings, making them ideal victims.
The infection chain begins in Discord chat rooms or Reddit communities dedicated to cheating in specific online games. In one campaign, fake GitHub repositories distribute first-stage payloads named TempSpoofer.exe, Monotone.exe, or CFXBypass.exe. These are PowerShell scripts compiled into .NET executables using PS2EXE, allowing them to evade basic script-based detections while appearing as legitimate applications.
The PowerShell loader executes a multi-stage infection process. It first adds an exclusion to Windows Defender for an attacker-controlled directory, preventing scanning of subsequent malicious payloads. It then retrieves a secondary payload URL from a hard-coded Pastebin link, which points to a GitHub-hosted executable. The loader creates a hidden directory in %AppData%, adds it to Defender's exclusion list, and downloads background.exe—a Themida-packed Vidar Stealer 2.0. It verifies the file's integrity via an MZ header check, hides it from the user, attempts privilege escalation via runas, and establishes persistence through a scheduled task named SystemBackgroundUpdate.
In a separate campaign, attackers spread Vidar 2.0 through Reddit posts advertising fake Counter-Strike 2 game cheats, redirecting victims to a malicious website that delivers EzFrags_Private.zip. The archive contains a self-extracting executable with an invalid digital signature. Upon execution, the loader extracts an embedded cabinet archive and runs a command to process Perfume.mdb, a script obfuscated with randomized variable names. The script then creates a directory and assembles Typically.com, a compiled AutoIt interpreter, by stitching together file fragments. It then builds the Vidar 2.0 payload from multiple .mdb files and executes it via AutoIt. The final payload connects to the same C2 infrastructure seen in prior campaigns, suggesting the same threat actor is behind both operations.
Vidar 2.0 represents a significant technical evolution from the first version. It is capable of extracting browser credentials, cookies, autofill data, Azure tokens, cryptocurrency wallets, FTP/SSH credentials, Telegram and Discord data, and local files. The new version features polymorphic builds and multithreaded execution to improve speed and evade static detection, advanced obfuscation and debugger detection to hinder analysis, and C2 infrastructure hidden via Telegram bots and Steam profiles as dead drop resolvers. The researchers note that Vidar 2.0 often completes its mission before victims are aware anything is wrong.
The rise of Vidar 2.0 follows law enforcement actions against two of the most prominent infostealers, Lumma and Rhadamanthys. This demonstrates how enforcement action reshapes the threat landscape: criminal demand simply migrates, and defenders must remain vigilant and informed. The campaign highlights the ongoing challenge of combating malware distributed through legitimate platforms like GitHub and Reddit, where users' trust and desire for free software can be exploited.