“`html
A complex data-stealing software identified as Vidar Stealer has undergone an extensive structural overhaul with the launch of version 2.0, introducing enhanced features that allow it to circumvent Chrome’s newest security measures via direct memory injection methodologies.
Unveiled on October 6, 2025, by its creator “Loadbaks” on clandestine forums, this revised version boasts a complete transition from C++ to pure C, utilizing a multithreaded framework that significantly boosts its data theft speed and evasion tactics.
The timing of Vidar 2.0’s release aligns with a notable decrease in Lumma Stealer operations, positioning Vidar as a potential successor in the data-stealing landscape.
Available for $300 for lifetime access, this malware provides cybercriminals with an economical yet formidable toolkit able to systematically target credentials from browsers, cryptocurrency wallets, cloud services, gaming platforms, and messaging apps such as Discord and Telegram.
The malware’s improved anti-analysis strategies and intricate credential extraction techniques signify a worrying progression in the information-stealing threat environment.
.webp)
Vidar initially appeared in 2018 on Russian-speaking underground platforms, originally utilizing the Arkei stealer source code.
Over time, it has set itself apart from rivals like Raccoon and RedLine through consistent updates accommodating new browsers, wallets, and two-factor authentication tools.
Trend Micro analysts discovered that this latest version includes four pivotal architectural modifications: a full rewrite in C for improved reliability and velocity, a multithreaded system that dynamically adjusts based on the specifications of the victim’s computer, enhanced capabilities for extracting browser credentials, and an automated polymorphic builder that crafts unique binary signatures for each compilation.
The multithreaded design represents one of Vidar 2.0’s most crucial enhancements, allowing the malware to perform data-gathering activities across several parallel threads.
This framework automatically modifies performance by generating additional worker threads on robust systems and fewer threads on less powerful machines, guaranteeing optimal functionality without overwhelming the target.
The parallel processing significantly lessens the duration the malware needs to remain operational on compromised systems, complicating detection and intervention by security solutions.
Chrome AppBound Encryption Evasion Through Memory Injection
Vidar 2.0’s most remarkable technical milestone involves its ability to circumvent Chrome’s AppBound encryption defenses through intricate memory injection techniques.
According to the developer, this malware has “executed unique appBound methods that aren’t accessible in the public domain,” specifically aimed at Chrome’s strengthened security measures that are designed to avert unauthorized credential extraction by binding encryption keys to specific applications.
This poses a direct challenge to Chrome’s recent security enhancements intended to safeguard user credentials from information stealers.
The malware adopts a tiered method for browser credential extraction, initially trying conventional techniques such as systematic enumeration of browser profiles and retrieval of encryption keys from Local State files utilizing standard DPAPI decryption.
When these traditional methods fail against Chrome’s AppBound encryption, Vidar 2.0 escalates to a sophisticated technique that launches targeted browsers with debugging enabled and injects malicious code directly into active browser processes using either shellcode or reflective DLL injection.
.webp)
The injected payload operates wholly within browser memory, retrieving encryption keys directly from the active process address space instead of decrypting them from storage.
This memory-centric strategy effectively bypasses Chrome’s AppBound encryption as it captures keys that are already decrypted and operational within the legitimate browser process.
The seized encryption keys are then transmitted back to the main malware process via named pipes, a method that avoids creating disk artifacts that could be noticed by forensic assessments or security software.
This dual-pronged extraction methodology, targeting both conventional browser storage systems and Chrome’s latest defenses across multiple browser environments including Chrome, Firefox, Edge, and other Chromium-based browsers, showcases the malware’s exhaustive strategy for credential theft.
“`