Short answer

Vidar is an infostealer known for its file grabber capabilities and its association with ransomware operations. It extends beyond typical credential theft by targeting local files and documents, making it a tool of choice for threat actors seeking deeper access to organizational data.

What makes Vidar different

While most infostealers focus primarily on browser data, Vidar includes a file grabber that searches for and exfiltrates specific file types from the infected device. This can include documents, spreadsheets, configuration files, and database exports. This makes Vidar particularly dangerous for organizations handling sensitive files on devices that may become infected.

Ransomware connection

Vidar has been observed as a precursor to ransomware attacks. In some campaigns, Vidar is deployed first to steal credentials and map the environment, followed by ransomware deployment using the access gained through the stolen data. This makes Vidar infections a potential early warning sign of more severe attacks.

What Vidar steals

Vidar targets browser credentials, cookies, cryptocurrency wallets, clipboard data, and, uniquely, local files matching configurable patterns. It also captures system information, installed software, and screenshots.

How Passguard detects Vidar

Passguard monitors the criminal marketplaces and Telegram channels where Vidar logs are traded. When infected devices containing access to your organization's systems are listed for sale, Passguard alerts your security team with the details needed to act: device information, malware type, compromised sessions, and infection timeline.