• Home
  • cyber
  • Intrinsec Client: New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials
cyber Cyber Attack

Intrinsec Client: New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials

Oct 1, 2025 2 min read
Intrinsec Client: New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials

Vidar Malware Surges as Top Credential-Stealing Threat in Early 2026

A credential-stealing malware called Vidar has become one of the most active threats targeting corporate employees in early 2026. Cybercriminals are distributing the malware through fake software downloads promoted via YouTube videos, tricking victims into installing it and leading to the theft of login credentials, browser data, and cryptocurrency wallet information.

The campaign’s scale and precision have drawn global attention from security researchers. Vidar’s rise follows the 2025 takedowns of Lumma and Rhadamanthys, two widely used infostealers, which left cybercriminals searching for alternatives. Vidar’s operators capitalized on the gap, releasing Vidar 2.0 in October 2025 with enhanced evasion techniques. Since then, it has dominated the Russian Market, a dark web hub for stolen data, based on monthly upload volumes.

Security firm Intrinsec traced a full attack chain after a corporate employee at one of its clients was compromised. The attack began with a YouTube video advertising NeoHub, a fake software tool. The victim was redirected through a file-sharing site before downloading a malicious archive from Mediafire. The installation appeared legitimate, but the executable (NeoHub.exe) secretly loaded a second file (msedge_elf.dll), which contained the Vidar payload. The DLL was disguised as a Microsoft Edge component and signed with a fake code-signing certificate impersonating GitHub and other entities.

Vidar employs advanced obfuscation, including a GO-based packer and control flow flattening, to evade detection. It retrieves its command-and-control (C2) server location from public Steam profiles and Telegram channels, allowing attackers to rotate infrastructure without updating the malware.

The malware targets Chrome, Firefox, Edge, Opera, Vivaldi, Waterfox, and Palemoon, extracting passwords, cookies, credit card data, and cryptocurrency wallet files. Stolen credentials are sold on the Russian Market, exposing corporate networks to further attacks. CISA has linked Vidar to Scattered Spider, a notorious cybercriminal group, underscoring its role in high-risk campaigns.

Source: https://cybersecuritynews.com/new-vidar-malware-uses-fake-youtube-software-downloads/

Intrinsec cybersecurity rating report: https://www.rankiteo.com/company/intrinsec

"id": "INT1777301561",
"linkid": "intrinsec",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'name': "Intrinsec's client (unnamed)",
                        'type': 'Corporation'}],
 'attack_vector': ['Fake software downloads',
                   'Malicious YouTube videos',
                   'Malicious archives from file-sharing sites'],
 'data_breach': {'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Login credentials',
                                              'Browser data',
                                              'Cryptocurrency wallet files',
                                              'Passwords',
                                              'Cookies',
                                              'Credit card data']},
 'date_detected': '2026-01',
 'description': 'A credential-stealing malware called Vidar has become one of '
                'the most active threats targeting corporate employees in '
                'early 2026. Cybercriminals are distributing the malware '
                'through fake software downloads promoted via YouTube videos, '
                'tricking victims into installing it and leading to the theft '
                'of login credentials, browser data, and cryptocurrency wallet '
                'information.',
 'impact': {'data_compromised': ['Login credentials',
                                 'Browser data',
                                 'Cryptocurrency wallet information',
                                 'Passwords',
                                 'Cookies',
                                 'Credit card data'],
            'identity_theft_risk': 'High',
            'payment_information_risk': 'High',
            'systems_affected': ['Corporate employee devices']},
 'initial_access_broker': {'data_sold_on_dark_web': 'Russian Market',
                           'entry_point': ['Fake software downloads',
                                           'YouTube videos']},
 'investigation_status': 'Ongoing',
 'motivation': ['Financial gain', 'Data exfiltration', 'Credential theft'],
 'post_incident_analysis': {'root_causes': ['Lack of employee awareness',
                                            'Use of fake software',
                                            'Malware evasion techniques']},
 'references': [{'source': 'Intrinsec'}, {'source': 'CISA'}],
 'response': {'third_party_assistance': 'Intrinsec'},
 'threat_actor': 'Scattered Spider (linked by CISA)',
 'title': 'Vidar Malware Surges as Top Credential-Stealing Threat in Early '
          '2026',
 'type': 'Malware (Infostealer)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.