Beware of ‘Free’ Game Cheats: Vidar 2.0 Infostealer Lurks on GitHub and Reddit

The allure of a digital advantage in popular online games like Fortnite or Counter-Strike is a powerful draw for many players. The promise of ‘free’ cheats, offering everything from enhanced aiming to revealing enemy locations, can be incredibly tempting. However, a recent cybersecurity alert from Acronis TRU highlights a disturbing trend: these seemingly generous offers are often a sophisticated trap, leading unsuspecting gamers into the clutches of a dangerous information-stealing malware known as Vidar 2.0.

The Deceptive Lure of Fake Game Cheats

Cybercriminals are employing a multi-pronged strategy, leveraging popular platforms like GitHub and Reddit to distribute this malicious software. The modus operandi is disturbingly effective. Hackers create visually appealing, professionally designed pages on GitHub, often featuring enticing descriptions and graphics related to game cheats. These pages are then promoted through social media channels such as Discord and Reddit, specifically targeting gamers who are actively seeking ways to gain an edge.

The core of the deception lies in the installation process. These fake cheat programs typically require users to disable their antivirus software to function. This is a critical red flag that many gamers, eager for an advantage, overlook. The reasoning provided by the malware creators is that cheat software needs to bypass game security systems, and thus, it naturally mimics the behavior of viruses. By convincing users to disable their defenses, the attackers effectively disarm their targets, granting the malware unfettered access to their systems.

This campaign appears to be particularly adept at preying on younger gamers. These individuals may lack the disposable income for legitimate in-game purchases or premium subscriptions, making the ‘free’ cheat offer even more attractive. Furthermore, the inherent embarrassment associated with admitting to using cheats, especially if caught, creates a powerful deterrent against reporting such incidents. This silence allows the malware to operate undetected for extended periods, maximizing the damage.

Acronis researchers have uncovered hundreds of these malicious pages, but they strongly suspect the true number is significantly higher, potentially reaching into the thousands. The attackers are not merely relying on simple file drops; they employ advanced techniques. For instance, they utilize PowerShell scripts to quietly install the malware, making it harder for standard security scans to detect. To ensure persistence, the malware is configured to launch automatically every time the user logs into their computer. In a further display of its sophistication, Vidar 2.0 is programmed to detect and refuse execution if it identifies a virtual environment typically used by security researchers to analyze malware, demonstrating a deliberate effort to evade detection.

Vidar 2.0: A Evolved Threat in the Malware Landscape

The recent surge in Vidar 2.0’s activity is not accidental. Cybersecurity research, shared exclusively with outlets like Hackread.com, reveals that this infostealer has undergone a significant technical overhaul. Its core programming language has been transitioned from C++ to C, a change that has resulted in a substantial increase in its speed and stealth capabilities. This rewrite makes it more efficient at exfiltrating data and harder for security software to identify its malicious patterns.

Vidar itself is not a new player in the cybercrime arena; it has been in circulation since 2018. However, its current prominence can be attributed to the recent disruption of its main competitors, Lumma and Rhadamanthys. The shutdown of these rival infostealers has seemingly created a vacuum, allowing Vidar 2.0 to capture a larger share of the illicit malware market. This phenomenon is often observed in the cybercrime ecosystem, where the removal of key players can lead to the resurgence of others.

Vidar operates on a Malware-as-a-Service (MaaS) model. This means that the developers of the malware lease it out to other criminals, who then use it for their own malicious purposes. The pricing for accessing Vidar 2.0 ranges from approximately $130 to $750, a relatively accessible price point for aspiring cybercriminals looking to profit from stolen data. This MaaS model democratizes access to sophisticated malware, lowering the barrier to entry for cybercrime.

The Extensive Reach of Vidar 2.0’s Data Theft

The capabilities of Vidar 2.0 extend far beyond simple credential harvesting. This evolved infostealer is designed to pilfer a wide array of sensitive information from compromised systems. Its targets include:

• Cryptocurrency Wallets: Vidar 2.0 actively seeks out and attempts to steal funds from cryptocurrency wallets, with a particular focus on Monero, a privacy-focused digital currency.
• Login Tokens: It is adept at stealing session tokens and login credentials for popular online services. This includes platforms like Discord, Steam, and Telegram, granting attackers access to user accounts and potentially sensitive communications.
• Cloud Storage and Professional Tools: The malware also hunts for valuable data within Microsoft Azure cloud storage folders. Furthermore, it targets files associated with professional software, suggesting an interest in intellectual property or sensitive business information.
• Browser Data: Like many infostealers, Vidar 2.0 is designed to extract saved passwords, cookies, and browsing history from various web browsers, providing attackers with a comprehensive profile of the victim’s online activities.