A new campaign involving the Vidar infostealer is exploiting fake software download links on YouTube to target corporate employees. This malicious strategy is aimed at compromising the accounts of these individuals and selling their stolen credentials on various Russian cybercrime marketplaces.
In one such incident investigated by cybersecurity experts, a corporate employee searching for specific software on YouTube inadvertently followed a link in a video description. This link directed them to a third-party file-sharing service. The user was then further redirected from YouTube to filefa.st and subsequently to MediaFire. Here, a compressed archive masquerading as a NeoHub installer was found, which, according to analysis, remained accessible at the time of the report.
Inside this archive, several files dated October 16, 2025, had been compiled. Among these were a file named NeoHub.exe alongside a malicious dynamic link library (DLL) identified as msedgeelf.dll. The NeoHub.exe file has been crafted to resemble a legitimate Windows application, thus increasing the likelihood that unsuspecting users would execute it, believing it to be a valid software installation.
In the cyber threat landscape, Vidar has emerged as a leading infostealer on Russian Market platforms, consistently ranking as a top contender in the infostealer ecosystem surveyed for annual threat reporting. Researchers observed attackers utilizing the deceptive NeoHub tool to entice victims into executing a harmful installer that covertly installs the latest version of the Vidar stealer, known as Vidar 2.0.
### Technical Details of the Malicious Payload
The msedgeelf.dll file, a 64-bit Go-compiled DLL, is approximately 10 MB in size and exhibits considerable obfuscation to impede both static and dynamic analysis efforts. The logs collected by Vidar include a file named “information.txt,” which contains the domain used for advertising the malware—now identified as vidars[.su].
Upon execution, the binary imports key functions from the msedgeelf.dll file, which disguises itself as a component of Microsoft Edge. Analysts noted that the file’s structure included unusual section names and the use of classic packing imports like LoadLibrary and GetProcAddress, indicating it features a custom Go-based packing technique paired with control-flow flattening.
Originally, this DLL was signed with a fraudulent certificate and then re-signed with another fake certificate that sought to impersonate “grow.com.” Such misrepresentations have been identified across multiple infostealer samples available on VirusTotal. Once unpacked, Vidar reveals its typical capabilities, which include targeting credentials, cookies, autofill data, and even cryptocurrency wallet information.
This intricate attack methodology allows attackers to gather extensive information about compromised systems, shedding light on virtually all stages of the kill chain leading to the exfiltration of sensitive data. Vidar is capable of infiltrating multiple web browsers, including Chrome, Edge, Firefox, Opera, Vivaldi, Waterfox, and Pale Moon, and can access local databases to decrypt stored secrets.
Moreover, the malware is designed to collect detailed system information and compile a file summarizing the host metadata for the operators’ use.
Vidar employs dead drop resolvers located on popular platforms such as Steam and Telegram, allowing it to dynamically retrieve its command-and-control (C2) domains. In the analyzed sample, references to both a Steam profile and a Telegram channel point back to a specific subdomain, which ultimately directs to the actual C2 domain.
### From Stolen Logs to Corporate Consequences
The compromised data from this campaign is being sold or shared as “logs” on Russian Market and Telegram channels, including KATANACLOUD and BradMax Cloud. These platforms actively promote Vidar-related content, thereby distributing infostealer logs to a diverse range of cybercriminals. Such distribution enables secondary attacks, which may involve VPN hijacking, corporate email compromise, cloud account takeovers, and financial fraud.
By using lures that exploit commonplace user behaviors—specifically, the tendency of individuals to search YouTube for cracked or unofficial software tools—even well-secured corporate networks are left vulnerable. Once Vidar successfully extracts browser-stored credentials and cookies, attackers can circumvent multi-factor authentication in specific scenarios by replaying session cookies or exploiting insufficient security measures on internal portals.
To counteract this increasing threat, security teams are advised to block the infrastructure associated with Vidar, including domains such as vidars.su, true-v.top, v-new.cloud, and others. Security mechanisms should prioritize identifying unusual traffic patterns directed toward Steam and Telegram profiles that act as dead drop resolvers, as well as monitoring for dubious downloads from file-sharing services linked to YouTube.
Additionally, enterprises must fortify browser security measures by limiting password storage capabilities, mandating multi-factor authentication, and keeping an eye on abnormal login behaviors associated with stolen cookies. Regular security awareness training should also be implemented, explicitly highlighting the risks associated with downloading “free” tools from YouTube links and unofficial file-sharing sites. This campaign underscores how a single careless action can lead to substantial exposure of corporate credentials, ultimately affecting the broader organizational landscape.