New Vidar Infostealer Campaign Abuses YouTube to Target Corporate Employees
A recent Vidar infostealer campaign is exploiting fake software download links on YouTube to compromise corporate employees, with stolen credentials later sold on Russian cybercrime marketplaces. The attack, analyzed in October 2025, begins when victims search for software on YouTube and follow malicious links in video descriptions, redirecting them to third-party file-sharing services like filefa.st and MediaFire.
The downloaded archive, disguised as a NeoHub installer, contains a legitimate-looking executable (NeoHub.exe) and a malicious DLL (msedgeelf.dll). When executed, the DLL actually a Vidar 2.0 stealer deploys obfuscated, Go-compiled malware signed with fraudulent certificates (spoofing githab.com and grow.com). Vidar targets browser credentials, cookies, autofill data, and cryptocurrency wallets across Chrome, Edge, Firefox, and other browsers, while exfiltrating system metadata in an information.txt file.
The malware uses dead drop resolvers on Steam and Telegram to dynamically fetch command-and-control (C2) domains, including gz.technicalprorj.xyz and gpu.orca-trade.com. This technique allows attackers to rotate infrastructure rapidly while evading detection. Researchers identified additional Vidar-linked domains (vidars.su, true-v.top, my-vidar.ru) and an email address (otmail.top) mimicking Hotmail, highlighting the campaign’s use of lookalike infrastructure.
Stolen data is sold or shared on Russian Market and Telegram channels like KATANACLOUD and BradMax Cloud, enabling secondary attacks such as VPN hijacking, email compromise, and financial fraud. The campaign’s success stems from abusing common user behavior downloading cracked software from unofficial sources even on secured corporate networks. Vidar’s ability to harvest session cookies also allows attackers to bypass multi-factor authentication in some cases.
Source: https://gbhackers.com/fake-youtube-downloads/
Neohub Solutions cybersecurity rating report: https://www.rankiteo.com/company/neohub-solutions
"id": "NEO1777301632",
"linkid": "neohub-solutions",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Corporate employees'}],
'attack_vector': ['Malicious YouTube links',
'Third-party file-sharing services (filefa.st, MediaFire)'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Executable (EXE)',
'DLL',
'Text (TXT)'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Browser credentials',
'Cookies',
'Autofill data',
'Cryptocurrency wallets',
'System metadata']},
'date_detected': '2025-10',
'description': 'A recent Vidar infostealer campaign is exploiting fake '
'software download links on YouTube to compromise corporate '
'employees, with stolen credentials later sold on Russian '
'cybercrime marketplaces. The attack begins when victims '
'search for software on YouTube and follow malicious links in '
'video descriptions, redirecting them to third-party '
'file-sharing services like *filefa.st* and *MediaFire*. The '
'downloaded archive, disguised as a *NeoHub* installer, '
'contains a legitimate-looking executable (*NeoHub.exe*) and a '
'malicious DLL (*msedgeelf.dll*). When executed, the DLL (a '
'Vidar 2.0 stealer) deploys obfuscated, Go-compiled malware '
'signed with fraudulent certificates (spoofing *githab.com* '
'and *grow.com*). Vidar targets browser credentials, cookies, '
'autofill data, and cryptocurrency wallets across Chrome, '
'Edge, Firefox, and other browsers, while exfiltrating system '
'metadata in an *information.txt* file. The malware uses dead '
'drop resolvers on Steam and Telegram to dynamically fetch '
'command-and-control (C2) domains, including '
'*gz.technicalprorj.xyz* and *gpu.orca-trade.com*. Stolen data '
'is sold or shared on Russian Market and Telegram channels '
'like *KATANACLOUD* and *BradMax Cloud*, enabling secondary '
'attacks such as VPN hijacking, email compromise, and '
'financial fraud.',
'impact': {'data_compromised': ['Browser credentials',
'Cookies',
'Autofill data',
'Cryptocurrency wallets',
'System metadata'],
'identity_theft_risk': 'High',
'operational_impact': 'Potential secondary attacks (VPN hijacking, '
'email compromise, financial fraud)',
'payment_information_risk': 'High',
'systems_affected': ['Corporate employee devices']},
'initial_access_broker': {'data_sold_on_dark_web': ['Russian Market',
'Telegram channels '
'(KATANACLOUD, BradMax '
'Cloud)'],
'entry_point': 'YouTube video descriptions '
'(malicious links)',
'high_value_targets': 'Corporate employees'},
'lessons_learned': "The campaign's success stems from abusing common user "
'behavior (downloading cracked software from unofficial '
'sources) even on secured corporate networks. Vidar’s '
'ability to harvest session cookies also allows attackers '
'to bypass multi-factor authentication in some cases.',
'motivation': ['Financial gain', 'Data theft for resale'],
'post_incident_analysis': {'root_causes': ['Social engineering (fake software '
'downloads)',
'Abuse of trusted platforms '
'(YouTube)']},
'recommendations': ['Educate employees on the risks of downloading software '
'from unofficial sources',
'Implement stricter controls on corporate networks to '
'block access to third-party file-sharing services',
'Monitor for unusual activity related to browser '
'credential theft and session cookie hijacking',
'Enhance detection mechanisms for malware using dead drop '
'resolvers (e.g., Steam, Telegram)'],
'references': [{'source': 'Cybersecurity Research Report'}],
'threat_actor': 'Unknown (Russian cybercrime marketplace affiliates)',
'title': 'New Vidar Infostealer Campaign Abuses YouTube to Target Corporate '
'Employees',
'type': 'Infostealer Campaign',
'vulnerability_exploited': 'Social engineering (fake software downloads)'}