Vidar Stealer, an information-stealing malware first identified in 2018, has evolved with a sophisticated new deception technique targeting cybersecurity professionals and system administrators.
This notorious malware, which evolved from the Arkei Trojan, has been continuously adapted to harvest sensitive data including browser cookies, stored credentials, and financial information from compromised systems.
The information stealer operates as Malware-as-a-Service (MaaS), readily available for purchase on dark web marketplaces, allowing cybercriminals with minimal technical expertise to deploy sophisticated attacks.
.png
)
Recent distribution methods have included malicious email attachments and malvertising campaigns designed to trick users into downloading and executing the payload.
In February 2025, a particularly concerning incident involved the free-to-play game PirateFi released on Steam, which concealed Vidar Stealer within its files, infecting unsuspecting players upon installation.
G Data security researchers identified an unusual Vidar Stealer sample in March 2025 that employed a particularly sophisticated deception technique.
The sample initially showed only five detections on VirusTotal, indicating possible obfuscation or the emergence of a new variant.
What made this discovery particularly concerning was the malware’s disguise as a legitimate Microsoft Sysinternals utility, BGInfo.exe, a widely trusted system administration tool used to display system information on desktop backgrounds.
This latest evolution represents a significant escalation in stealth tactics, as the malware authors specifically targeted tools commonly used by IT professionals and security teams.
By compromising the very utilities that security teams rely on, attackers increase their chances of successful infiltration into enterprise environments where sensitive data is abundant.
Deception technique
The deception technique employed in this Vidar variant reveals remarkable attention to detail.
The malicious file presents itself as a February 2025 update to the legitimate BGInfo utility, complete with an expired Microsoft digital signature.
.webp)
While the legitimate BGInfo.exe is approximately 2.1 MB in size, the malicious variant is significantly larger at 10.2 MB due to hidden malicious code—a critical indicator that something is amiss.
%20and%20the%20malicious%20sample%20(right)%20(Source%20-%20G%20Data).webp)
Upon execution, the malware modifies the initialization routine of BGInfo.exe, specifically altering the process heap handling for future memory allocations and redirecting execution to its malicious function.
This clever manipulation ensures the file runs malicious code instead of the expected BGInfo functionality.
A telling sign of compromise is that the infected version fails to update the desktop wallpaper—a key feature of the legitimate tool.
Technical analysis reveals that the malware employs VirtualAlloc to create virtual memory space for the next stage of its execution.
This allocated memory eventually contains evidence of the payload, with strings like “input.exe” and the MZ header (0x4D 0x5A) visible in memory.
Dumping this binary reveals the core Vidar Stealer component with compilation date of February 3, 2025.
The malware’s sophisticated masquerading as a trusted administrative tool highlights the evolving tactics of threat actors who increasingly target the tools and software trusted by cybersecurity professionals themselves.
Organizations are advised to implement rigorous verification processes for all software updates, even for trusted utilities, and to monitor for anomalous system behavior, particularly when administrative tools fail to function as expected.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
