| ⓘ We are reaching out to let you know there has been a sharp rise in Vadir infostealer infections globally, posing a growing threat to your data. |
Advisory Overview
|
| Advisory Type |
Technical |
| Author |
Emilio Smith |
| Date |
15 September 2025 |
There has been a noticeable increase in Vidar spyware infections affecting systems worldwide. Vidar is a type of malicious software (spyware) that quietly collects sensitive information from affected devices, including account credentials, browsing data, and digital wallet details. Once the information is captured, it can be sent to attackers, and the malware may remove traces of itself from the system, making it difficult to detect.
This is important because stolen information can be used to access accounts or organizational systems without authorization. Vidar typically spreads through deceptive emails, fraudulent software downloads, and compromised websites, often relying on users being tricked into opening malicious files or links. Awareness of these methods and maintaining good security practices are key to reducing the risk of infection.
What’s Happening
|
| Affected Systems |
Vidar targets Windows-based systems. Infections of other operating systems, such as macOS or Linux is uncommon. |
| What this Means |
Once installed, it can quietly collect user data. Attackers can then use this stolen information to log into accounts, access sensitive business systems, or sell the data to other criminals. This matters because even a single compromised account could give attackers a way into your organization’s network, leading to further unauthorized access, data misuse, or financial loss. |
What to Look For
|
| Signs You May Be at Risk |
Your organisation is at risk if:
- Members of your organization use weak, reused, or unprotected passwords in browsers or applications.
- Employees frequently download cracked software, illegal media, or “free” tools from untrusted websites.
- Systems lack the latest security patches.
- Email filtering is limited, exposing users to phishing or malicious attachments.
- Multi-factor authentication (MFA) is not enforced across all accounts.
- Employees lack the necessary training to identify malicious emails.
|
| Signs You May Be Affected |
If you are experiencing any of the activities listed below, your organisation may be infected with Vidar spyware:
- Unusual network traffic, especially connections to unfamiliar external IP addresses or domains.
- Browser-stored credentials or cryptocurrency wallets suddenly inaccessible, drained, or compromised.
- Security tools flag suspicious processes (e.g., vidar.exe, random temp-folder executables).
- Presence of new or unauthorized scheduled tasks, registry entries, or startup programs.
- Increased spam or account takeover attempts using your credentials.
- Endpoint or SIEM alerts showing indicators of compromise (IOCs) linked to Vidar activity.
- Reports from third parties (banks, customers, partners) about suspicious use of your accounts.
|
What to Do
|
| Prevention |
To help prevent infection of your organisation, implement the steps below:
- Use antivirus and web protection software that monitors and neutralizes theses kinds of threats upon detection.
- Employ email security solutions that scan and block potentially suspicious messages.
- Enforce password best practices, including the use of a password manager.
- Keep all software and operating systems up to date.
- Regularly run full system scans on computers to check for any Vidar spyware or other infections.
- Train employees to identify malicious emails.
|
| Mitigation |
If you have this appliance in your environment, take the steps outlined below (not in any particular order):
- Disable SSL-VPN service where practical.
- Limit SSL-VPN connectivity to trusted source IPs.
- Enforce multi-factor authentication (MFA).
- Remove inactive or unused local user accounts that have SSL-VPN on the firewall.
- Encourage regular password updates across all user accounts.
- Activate services such as Botnet Protection and Geo-IP Filtering.
- Where possible, monitor your environment for any unusual activities or changes.
- Report the issues to CIRT-BS at [email protected].
|
Should you require additional information or further support, submit a report on our website or contact us at [email protected]. |