Threat actors have simultaneously released major updates for two prominent info-stealers, Vidar and StealC, marking their transition to version 2.0.
These updates, announced in late February 2025, introduce redesigned builds, modernized features, and enhanced capabilities.
However, cybersecurity experts have uncovered an intriguing overlap: both malware strains appear to share portions of their codebase, raising concerns about potential code theft or collaboration among cybercriminals.
.png
)
Key Features of Vidar and StealC 2.0
According to @g0njxa post on X, both Vidar and StealC have undergone substantial upgrades in their latest versions, as highlighted in their respective announcements:
Modernized User Interfaces: Both malware families now feature updated interfaces, likely aimed at improving usability for operators.
Rewritten Builds: The codebases for both projects have been rewritten from scratch, purportedly using modern methods to enhance functionality while avoiding reliance on older code.
Improved Runtime Stability: A new “morpher” module has been introduced to improve runtime stability and accelerate malware execution processes.
Enhanced Marketing and Support: Threat actors behind these projects have emphasized improved support services in multiple languages, signaling a push toward broader adoption by cybercriminals.
Despite being marketed as distinct projects, researchers have identified significant similarities between Vidar 2.0 and StealC 2.0 at the code level.
Screenshots of internal discussions among developers suggest that Vidar’s creators suspect their code may have been stolen and repurposed by other actors.
For instance, one developer remarked, “Did someone steal my cookie extractor or something?” This suspicion aligns with technical findings showing identical modules for cookie extraction and injection failure handling.
Vidar has been a formidable info-stealer since its emergence in 2018. Written in C++, it is capable of exfiltrating sensitive data such as browser cookies, saved passwords, cryptocurrency wallets, and even two-factor authentication files.
Its operators frequently use social media platforms like Telegram and Mastodon to retrieve Command-and-Control (C2) information via profile descriptions—a technique known as “dead drop.”
This method allows rapid updates to C2 infrastructure while evading detection.
StealC is a relatively newer player but has quickly gained traction due to its modular architecture and ease of customization.
Like Vidar, it targets sensitive user data but also includes advanced obfuscation techniques to evade detection.
Implications for Cybersecurity
The simultaneous release of Vidar and StealC 2.0 underscores the increasing sophistication of info-stealer malware.
The shared codebase complicates attribution efforts and suggests either collaboration or intellectual property theft within the cybercriminal ecosystem.
Detection strategies must evolve to address these threats effectively. YARA rules targeting shared modules can serve as a starting point for identifying infections:
The release of Vidar and StealC 2.0 marks a pivotal moment in the evolution of info-stealer malware.
While these updates enhance the capabilities of both malware families, the discovery of shared code raises critical questions about the dynamics within the cybercriminal community.
Organizations must remain vigilant by employing advanced detection mechanisms to mitigate the risks posed by these increasingly sophisticated threats.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
