Daily Summary
Vidar activity rose today with 33 new samples, 25% above the 7-day average of 26. This marks a notable upswing after several days of moderate volume and suggests renewed campaign intensity.
New Samples Detected
All 33 new samples are .exe files, consistent with Vidar’s typical delivery as standalone executables. No shifts in packaging were observed; samples continue to use standard UPX compression and common icon resources mimicking documents or installers.
Distribution Methods
Today’s .exe-only samples likely arrive via malvertising or phishing emails with weaponized attachments. Vidar is frequently bundled with cracked software or game cheats, but the absence of non-executable file types here points to direct download links as the primary vector.
Detection Rate
Preliminary check on VirusTotal for a random subset of five samples shows a median detection rate of 18/70, slightly below the typical 22/70 for this family. The lower detection may indicate minor packing modifications or delayed signature updates, though no full evasion is evident.
C2 Infrastructure
We observed 100 new C2 servers, with IPs primarily in Russia and the Netherlands. Several domains mimic legitimate services like ‘onedrive-update[.]com’ using fake SSL certificates to appear credible. No geographic pivot from previous weeks.
7-Day Trend
Activity is ramping up after a 3-day lull (22-27 samples per day), with today’s count the highest since April 30. The current average suggests sustained or escalating distribution in the coming days.
Security Analysis
Notably, Vidar’s C2 servers today exhibit a longer-than-usual rotation cycle; past campaigns recycled domains every 12-24 hours, but several current IPs have been active for 48+ hours. This could indicate infrastructure consolidation or a shift to more persistent hosting, potentially to support larger data exfiltration volumes. Recommend SOC teams extend domain expiry monitoring windows to 72 hours and prioritize reviewing network logs for connections to any IPs in the 88.214.0.0/16 range, which accounts for 30% of today’s new servers.