Vidar 2.0 Trojan

What kind of malware is Vidar 2.0?

Vidar 2.0 is a new release of the Vidar malware, rewritten in C programming language and capable of multi-threaded data stealing. It defeats Chrome's app-bound encryption and includes advanced evasion features. Stolen data is sent to delivery channels like Telegram bots and Steam profile URLs.

Vidar 2.0 malware

More about Vidar 2.0

Vidar 2.0 steals data from web browsers such as Chrome, Edge, and Firefox. It exfiltrates login and web data from Chrome and Edge browsers, including passwords, autofill data, and credit card details. It also steals passwords, browsing history, cookies (including network cookie files), and master encryption keys from Firefox browsers.

Furthermore, Vidar 2.0 targets cryptocurrency wallets. It grabs extension databases and settings (both local and synced) and Monero wallet directories, which can expose wallet details, cached data, and, if found, private keys or seed phrases. With this data, cybercriminals might access wallets and drain them.

Moreover, the malware copies credentials and tokens used to access AWS and Azure, Azure identity tokens, and data from the Microsoft Authentication Library cache (Office 365 and Azure AD tokens). These files let attackers impersonate victims and access their cloud services.

In addition to the aforementioned data, Vidar 2.0 can steal FileZilla's recent server entries, WinSCP configuration data, and WinSCP sessions. Using this information, threat actors may be able to log into the victim's servers to download, modify, or delete files, or perform other malicious actions.

Lastly, the malware can steal login session data, library information, configuration data, and Guard files from Steam, Telegram data, Discord token files, and app session files from messaging apps. This information allows the attackers to take over accounts, access private chats, and impersonate victims.

It is also known that Vidar 2.0 targets not only Chrome, Edge, and Firefox browsers, but also Opera, Opera GX, Palemoon, Vivaldi, and Waterfox. When targeting browsers, the malware forces the browser into debug mode and injects malicious code that steals encryption keys from the browser's active memory and sends them to the malware.

Using those keys, the stealer can bypass Chrome's AppBound protections. Once targeted information is captured, Vidar 2.0 takes screenshots, bundles everything, and exfiltrates it via Telegram bots and Steam profile links.

Threat Summary:
Name	Vidar 2.0 stealer
Threat Type	Trojan, Information Stealer
Detection Names	Avast (Win64:MalwareX-gen [Drp]), Combo Cleaner (Trojan.GenericKDZ.113842), ESET-NOD32 (A Variant Of Win64/Vidar.A), Kaspersky (Trojan-PSW.Win32.Stealerc.sji), Microsoft (Trojan:Win32/Wacatac.B!ml), Full List (VirusTotal)
Symptoms	Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Possible distribution methods	Infected email attachments, malicious online advertisements, social engineering, software vulnerabilities, software 'cracks', tech support scams
Damage	Stolen passwords and banking information, identity theft, monetary loss.
Malware Removal (Windows)	To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. Download Combo Cleaner To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Conclusion

Vidar 2.0 is a powerful stealer that injects into many browsers and apps to harvest passwords, encryption keys, cloud and crypto wallet data, and session tokens. Its capabilities enable attackers take over accounts, access cloud resources, steal crypto, and more. If a device is infected, the malware should be removed as soon as possible.

More examples of malware with information stealing capabilities are NovaShadow, SharkStealer, and Acreed.

How did Vidar 2.0 infiltrate my computer?

Devices can get infected through deceptive (and malicious) advertisements, fraudulent emails with harmful attachments or links, compromised (or fake) websites, infected USB drives, P2P networks, or third‑party downloaders. Malware is often hidden in executable files, Office or PDF documents, archive files like ZIP/RAR, or scripts.

Infections can also occur through pirated software, keygens, cracking tools, or tech support scams. Typically, devices become infected after users execute malware themselves.

How to avoid installation of malware?

Only download software from official websites or trusted app stores. Avoid pirated software, cracks, or keygens. Do not click links or open attachments in unexpected, irrelevant, or suspicious emails (or other messages) from unknown senders. Regularly update your operating system, apps, and antivirus programs.

Do not click on ads, pop-ups, or buttons on shady sites, and block notification requests from untrusted pages. Run antivirus and anti-malware scans often. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Vidar 2.0 release announcement on a hacker forum:

Vidar 2.0 Trojan release announcment

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

DOWNLOAD Combo Cleaner

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

What is Vidar 2.0?
STEP 1. Manual removal of Vidar 2.0 malware.
STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

Malware process running in the Task Manager

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Autoruns application appearance

manual malware removal step 2 Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Run Windows 7 or Windows XP in Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Run Windows 8 in Safe Mode with Networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Run Windows 10 in Safe Mode with Networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

manual malware removal step 3 Extract the downloaded archive and run the Autoruns.exe file.

Extract Autoruns.zip archive and run Autoruns.exe application

manual malware removal step 4 In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Refresh Autoruns application results

manual malware removal step 5 Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

Delete malware in Autoruns

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Search for malware and delete it

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with Vidar 2.0 malware, should I format my storage device to get rid of it?

Formatting the storage device can get rid of Vidar 2.0, but it is a last resort because it deletes all your data. It is better to first perform a full scan with reliable antivirus or anti-malware tools, like Combo Cleaner.

What are the biggest issues that malware can cause?

The biggest risks include stealing sensitive information like passwords, banking details, or personal files, slowing down or crashing systems, encrypting or corrupting files, using devices to attack others, or dropping more payloads on the already infected systems.

What is the purpose of Vidar 2.0?

The purpose of Vidar 2.0 is to steal sensitive data, like passwords, encryption keys, crypto wallet data, cloud credentials, and session tokens from browsers, apps, and systems.

How did a malware infiltrate my computer?

Devices can be compromised through malicious ads, software vulnerabilities, deceptive emails, fake or hacked websites, infected USB drives, P2P networks, pirated software, keygens, cracking tools, tech support scams, or third-party downloaders. Users often infect devices via malicious executables, documents, archives, or script files.

Will Combo Cleaner protect me from malware?

Combo Cleaner can detect and remove most known malware, but is important to note that advanced threats may be hidden in the system. Running a full system scan is essential to detect and fully eliminate them.