Vidar - Distribution Methods

File types, delivery vectors, and hosting infrastructure used to distribute Vidar.

Last updated: 2026-06-28

Understanding how Vidar reaches victims is critical for prevention. This page breaks down the file types used in distribution, the hosting infrastructure serving malicious payloads, and URLs tracked by URLhaus. Data is updated daily.

What Distribution Data Tells You

Shifts in file type distribution often signal changes in delivery tactics. For example, a move from .exe to .msi files may indicate operators adapting to Windows SmartScreen or email gateway filtering. A surge in .js or .vbs files suggests script-based delivery through phishing emails. Monitoring these patterns helps you tune your email security gateway rules and endpoint protection policies to block the current delivery method before it reaches end users.

Hosting Infrastructure

The hosting data below shows which domains and servers are actively distributing Vidar payloads. Add these to your DNS blocklists, web proxy deny rules, and firewall policies. Hosting infrastructure tends to rotate frequently as takedowns occur, so check this page regularly. All URL data is sourced from URLhaus. For hash-based indicators, see the IOC page. For sample details, see Vidar samples.

File Types (486 samples)

exe 457 (94%)
zip 16 (3%)
ps1 6 (1%)
lnk 4 (1%)
js 1 (0%)
iso 1 (0%)
rar 1 (0%)

Malicious Distribution URLs (157)

https://github.com/PondEscalator/nlp-quickbook-classification/releases/download/Release/NLP_Quickbook.zip
https://github.com/ChainBarberBear/roblox-client-tracker-versions/releases/download/Release/Roblox-Client-Tracker.zip
https://github.com/HunterDevops/cs2-training-toolkit/releases/download/CS2/c2ware.by.HunterDevops.v3.1.zip
https://github.com/crahulam/arc_raiders_fps_booster/releases/download/V2.3.3/arc_raiders_fps_booster.zip
https://github.com/TealWeaponsmith/arc-raiders-fps-optimizer-Ai/releases/download/Optimizer-Booster/ArkOptimizerFPS+.by.xxgamecoder.zip
https://github.com/gcoyerk/winslopr/releases/download/26.04.04/Winslopr.zip
https://github.com/gcoyerk/Winslop/releases/download/v1.03/Winslop.1.03.zip
https://github.com/gcoyerk/Winslop/releases/download/v1.04/Winslop.1.04.zip
https://github.com/gcoyerk/quickbooks-windows-master/releases/download/V1.32/quickbooks-windows-master.zip
https://project-vendors.icu/xw/phan.dat
https://gat-matics.com/xw/phan.dat
http://91.92.242.236/files-129312398/files/file_73fea0a7b4e57bf6.exe
http://62.60.226.185/v49922.exe
http://itskuba.com/1g/2.jpg
http://worthknowing.us/2.jpg
http://worthknowing.us/4.jpg
http://itskuba.com/1g/6.jpg
http://worthknowing.us/3.jpg
http://worthknowing.us/7.jpg
http://www.itskuba.com/1g/3.jpg
http://itskuba.com/1g/1.jpg
http://worthknowing.us/5.jpg
http://itskuba.com/1g/3.jpg
http://www.itskuba.com/1g/5.jpg
http://worthknowing.us/6.jpg
http://www.itskuba.com/1g/2.jpg
http://itskuba.com/1g/4.jpg
http://192.253.248.8/files/install.exe
http://192.253.248.8/files/update.exe
http://91.92.242.236/files-129312398/files/file_05e451303f19b057.exe
http://5.252.155.72/load/kythy.exe
https://abimj.edu.af/institute/10/cloudiya10.txt
http://91.92.242.236/files-129312398/files/file_05115473da05b069.exe
http://91.92.242.236/files-129312398/files/file_8480df5c5489df4a.exe
http://91.92.242.236/files-129312398/files/file_43dfe5f77a960846.exe
http://91.92.242.236/files-129312398/files/file_028b96fee351a313.exe
http://91.92.242.236/files-129312398/files/file_c0d2eb6a8b73120b.exe
https://etomoidomen.cfd/api/index.php?a=dl&token=d0a5e3b511c293206448ac44451b87f717fbdfa0c2f97242082bd2f29748a486&src=uranuseng.com&mode=cloudflare
http://ts.bhaaratkeeshakti.vip/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/EFewefwewFEW342234423234feWEEFWWefewefweffewwefEWF.php?file=333.exe
https://mygoodblog.cyou/files/FAvFf4V3.exe
https://mygoodblog.sbs/files/FAvFf4V3.exe
https://bigblograin.bond/files/FAvFf4V3.exe
https://beacon-mysummitfcu.org/files/FAvFf4V3.exe
http://158.94.210.248/files/FAvFf4V3.exe
https://productionmaza.sbs/files/FAvFf4V3.exe
http://brukva.shop/files/FAvFf4V3.exe
https://bigbadwolf.click/files/FAvFf4V3.exe
https://bestwebchlen.cyou/files/FAvFf4V3.exe
https://krempie.xyz/files/FAvFf4V3.exe
https://biggestchlen.xyz/files/FAvFf4V3.exe
http://mygoodblog.bond/files/FAvFf4V3.exe
https://goodgoodmoon.bond/files/FAvFf4V3.exe
https://158.94.210.248/files/FAvFf4V3.exe
http://myverifyblog.sbs/files/FAvFf4V3.exe
http://cloudflare-check.cfd/files/FAvFf4V3.exe
http://bigboysclub.cyou/files/FAvFf4V3.exe
https://productionmaza.cfd/files/FAvFf4V3.exe
https://allplanetssame.cfd/files/FAvFf4V3.exe
https://antongandon.club/files/FAvFf4V3.exe
https://productionmaza.cyou/files/FAvFf4V3.exe
https://brukva.shop/files/FAvFf4V3.exe
https://mrazotalog.lol/files/FAvFf4V3.exe
https://myverifhouse.sbs/files/FAvFf4V3.exe
http://allplanetssame.cfd/files/FAvFf4V3.exe
https://sirata.asia/files/FAvFf4V3.exe
http://myverifhouse.sbs/files/FAvFf4V3.exe
https://mygoodblog.bond/files/FAvFf4V3.exe
https://microblob.bond/files/FAvFf4V3.exe
https://denegnet.click/files/FAvFf4V3.exe
https://blobtop.sbs/files/FAvFf4V3.exe
http://productionmaza.cfd/files/FAvFf4V3.exe
http://diddyparty.click/files/FAvFf4V3.exe
https://gooddogshop.click/files/FAvFf4V3.exe
https://etokrol.lol/files/FAvFf4V3.exe
http://productionmaza.cyou/files/FAvFf4V3.exe
https://myverifyblog.sbs/files/FAvFf4V3.exe
https://merengagoi.bond/files/FAvFf4V3.exe
https://blatnoitovar.xyz/files/FAvFf4V3.exe
https://bigboysclub.cyou/files/FAvFf4V3.exe
http://etokrol.lol/files/FAvFf4V3.exe
https://diddyparty.click/files/FAvFf4V3.exe
http://mymicroblog.lat/files/FAvFf4V3.exe
http://blatnoitovar.xyz/files/FAvFf4V3.exe
http://denegnet.click/files/FAvFf4V3.exe
http://mrazotalog.lol/files/FAvFf4V3.exe
http://mybiggestjoy.bond/files/FAvFf4V3.exe
https://cloudflare-check.cfd/files/FAvFf4V3.exe
https://mymicroblog.lat/files/FAvFf4V3.exe
https://dl.armour-inc-down.net/in/?FortniteAimbot
https://dl.armour-inc-down.net/in/?GTAVCrackInstaller
https://dl.armour-inc-down.net/in/?HashCracker
https://dl.armour-inc-down.net/in/?SpotifyViewBot
https://mybiggestjoy.bond/files/FAvFf4V3.exe
https://microservisetrue.vip/fwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsda/uploads/EFewefwewFEW342234423234feWEEFWWefewefweffewwefEWF.php?file=333.exe/
http://dl.armour-inc-down.net/in/?KIDDIONSMODMENU
https://248bestmoon.click/files/FAvFf4V3.exe
https://dl.armour-inc-down.net/in/?AdGuardPremiump6
https://dl.armour-inc-down.net/in/?KIDDIONSMODMENU4
https://dl.armour-inc-down.net/in/?KIDDIONSMODMENU7
https://dl.armour-inc-down.net/in/?KIDDIONSMODMENU3

Source: URLhaus (abuse.ch). Updated: 2026-06-28

Hosting Infrastructure

Host URLs
dl.armour-inc-down.net 15
158.94.208.168 11
185.222.160.157 10
5.252.21.239 10
github.com 9
91.92.242.236 7
worthknowing.us 6
192.177.26.196 6
itskuba.com 5
www.itskuba.com 3
mybiggestjoy.bond 3
158.94.208.7 3
192.253.248.8 2
158.94.210.248 2
brukva.shop 2
mygoodblog.bond 2
myverifyblog.sbs 2
cloudflare-check.cfd 2
bigboysclub.cyou 2
productionmaza.cfd 2