Daily Summary
Vidar activity surged to 51 new samples on 2026-05-31, a 122% increase over the 7-day average of 23. A sharp rise in C2 infrastructure deployment accompanies the sample growth, with 100 new servers observed. This clustering of indicators points to an active campaign rather than ambient noise.
7-Day Trend
Today’s sample volume of 51 deviates more than 100% from the 7-day average of 23, marking the highest single-day count in the tracking period. The trend line is firmly upward, and analysts should prepare for sustained or accelerating activity in the next 48-72 hours.
New Samples Detected
Of the 51 new samples, 49 are .exe files, one is a .dll, and one is a .ps1 script. The .ps1 file is notable as PowerShell-based Vidar loaders are uncommon and may indicate an attempt to bypass application whitelisting or static AV signatures. The sole .dll sample suggests sideloading via legitimate Windows executables remains in use.
C2 Infrastructure
100 new C2 servers were identified today, a stark increase. Typical daily additions for Vidar range from 10-30 servers; this threefold jump correlates directly with the sample surge. The volume of infrastructure suggests either a single operator deploying at scale or multiple threat actors adopting shared C2-as-a-Service. New domains largely use .top and .click TLDs, consistent with recent cheap-bulk registration patterns.
IOC Highlights
151 new IOCs were added, including the 100 C2 domains and 51 file hashes. The remaining IOCs likely cover IPs and URLs from embedded configurations. SOC teams should prioritize blocking the .ps1 loader hash and the .dll side-loading binary, as these represent deviation from standard Vidar delivery.
Security Analysis
The simultaneous spike in both samples and C2 servers is unusual for Vidar, which often staggers infrastructure deployment. This alignment suggests a coordinated campaign rather than organic malware spread, possibly tied to a specific phishing wave or exploit kit push. Defensive teams should monitor for increased email traffic with password-protected archives or OneDrive links, as these are common entry points for Vidar during active campaigns. Blocking .ps1 execution via AppLocker or WDAC for non-administrative users would directly disrupt the observed loader variant.