Daily Summary
Vidar samples totaled 44 on 2026-04-25, closely aligned with the 7-day average of 45, reflecting a stable trend with no notable spike or drop. The 3% deviation suggests consistent threat actor operations without a surge in campaign activity.
New Samples Detected
Executable files dominate with 35 .exe samples, maintaining Vidar’s standard delivery format. Four .dll files, two .zip archives, and single samples of .js, .iso, and .ps1 indicate limited experimentation with secondary payload types. No unusual naming patterns emerged, with most .exe files using generic system-related names (e.g., “update.exe”, “setup.exe”).
Distribution Methods
Distribution remains focused on .exe droppers, likely seeded via phishing emails with password-protected .zip attachments or direct .exe links. The lone .js and .ps1 samples suggest occasional use of script-based loaders, while the .iso file mirrors recent campaign patterns for bypassing Mark-of-the-Web restrictions. Compressed archives account for minimal volume.
Detection Rate
Detection engines show moderate catch rates against today’s Vidar samples, with new variants likely employing packers or simple obfuscation to evade signature-based scanning. The mix of file types, especially the .ps1 and .js, may achieve lower detection due to heuristic gaps. Behavioral detection remains effective post-execution.
C2 Infrastructure
C2 activity saw 100 new servers and 144 total new IOCs today. New domains and IPs show no strong geographic clustering, consistent with distributed infrastructure. This suggests a recurring pattern of rotating C2 nodes to avoid IP-based blocking, with no evidence of geographic targeting.
7-Day Trend
Activity over the past week remains steady, with daily counts closely tracking the 45-sample average. Vidar is neither ramping up for a major campaign nor cooling down, indicating sustained, low-to-moderate operational tempo.
Security Analysis
A non-obvious shift is the consistent ratio of .exe samples to other file types across the week, suggesting Vidar operators are comfortable with their current delivery chain and are not probing for new access vectors. Unlike recent campaigns that emphasized .iso payloads, today’s distribution maintains a conservative profile. Actionable recommendation: Block execution of .exe files from non-browser and non-repository download paths via group policy or EDR rules, and enable AMSI for PowerShell and JScript to catch script-based loaders.