Vidar Stealer Uses New Deception Technique to Hijack Browser Cookies and Stored Credentials

Vidar Stealer a notorious information-stealing malware has adopted a deceptive method to disguise itself as Microsoft’s BGInfo application.

By exploiting a legitimate tool widely used by IT professionals to display system details, attackers have demonstrated advanced techniques to evade detection and execute malicious code designed to compromise sensitive data.

BGInfo, part of Microsoft’s Sysinternals Suite, is a trusted application that enables users to configure desktop backgrounds with essential system information such as IP addresses, operating system details, and memory allocation.

However, on February 25, 2025, researchers discovered a malware variant mimicking BGInfo.exe’s file metadata, including its version number, creation date, and developer details, to bypass suspicion.

The infected binary diverges from the legitimate 2.1 MB file size, bloating to 10.2 MB—a clear indicator of embedded malicious instructions.

Hijacking Execution Flow with Vidar Stealer

Upon execution, the compromised BGInfo binary subverts the normal initialization process.

Instead of performing legitimate functions like updating the desktop background, the malware allocates memory via VirtualAlloc for subsequent payload stages.

This malicious memory space hosts Vidar Stealer, which redirects execution flow to its routines by modifying critical thread start points associated with Windows API functions such as RtlUserThreadStart.

Additional evidence of compromise was observed through disassembly comparisons between the legitimate and malicious binaries.

The infected executable alters heap management processes to execute its payload, and debugger views revealed key strings associated with Vidar Stealer, including references to popular applications like Telegram, Steam, and cryptocurrency wallets such as BraveWallet and Monero.

This indicates targeted attempts to extract stored credentials and session tokens.

Sophisticated Data Theft Capabilities

According to the Report, Vidar Stealer is well-documented for its ability to harvest credentials, hijack browser cookies, and steal session data from prominent services such as Discord, AWS, and FileZilla.

Recent analysis underscores its consistent attack patterns, which include:

• Credential Theft: Extracting browser-stored usernames and passwords.
• Cryptocurrency Wallet Breaches: Accessing data from wallets to steal funds.
• Session Hijacking: Acquiring tokens to bypass authentication mechanisms.
• Cloud Storage Breaches: Compromising credentials from Azure and other platforms.

Researchers confirmed that the latest Vidar Stealer variant behaves similarly to its predecessors, showing no significant deviation in functionality beyond its advanced masquerading technique.

The abuse of BGInfo.exe underscores the growing complexity of malware campaigns, where trusted tools are manipulated to bypass scrutiny.

To counter such threats, security teams must adopt proactive measures, including file integrity monitoring, memory behavior analysis, and the identification of anomalies such as unusual file sizes, expired signatures, or unexpected process heap modifications.

Continuous vigilance and the application of threat intelligence frameworks like MITRE ATT&CK are crucial.

Techniques observed in this campaign include masquerading (T1036), binary padding (T1027), and thread execution hijacking (T1055), all designed to evade detection and maintain persistence.

Vidar Stealer’s evolution highlights the importance of ongoing threat hunting and robust defenses to mitigate risks associated with such sophisticated attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!