Infostealer
Vidar
aka Arkei fork
A malware-as-a-service infostealer forked from Arkei, known for using social-media profiles as dead-drop resolvers for its C2.
Vidar is a malware-as-a-service infostealer forked from the older Arkei stealer. Active since 2018, it harvests browser credentials and cookies, autofill, and cryptocurrency wallets, and is highly configurable per customer.
Dead-drop resolvers
Vidar is well known for hiding its real C2 address inside social-media profiles (e.g. Telegram, Mastodon, Steam) — a "dead-drop resolver" technique that lets operators rotate infrastructure without re-deploying the malware.
Distribution
It rides cracked software, malvertising and loaders, and has been used as a stepping stone before ransomware. Campaigns are tracked on Cyber Breaches; a dead-drop-resolver analysis lives on the Reverse Engineering Hub.
Defense
Block untrusted executables, expire sessions, enforce MFA, and watch for C2 lookups against unexpected social-media profiles.