Cyberdudebivash

“Vidar” Malware Is Being Hidden in 15+ Windows Apps. (It’s Designed to Steal Your Logins).

CYBERDUDEBIVASH

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

 Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.

Follow on LinkedInApps & Security ToolsAuthor: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

CISO Briefing: “Vidar” Malware Is Hiding in 15+ “Trusted” Windows Apps. (It’s Designed to Bypass Your EDR & Steal Your Logins). — by CyberDudeBivash

By CyberDudeBivash · 01 Nov 2025 · cyberdudebivash.com · Intel on cyberbivash.blogspot.com

LinkedIn: ThreatWirecryptobivash.code.blog

INFOSTEALER • EDR BYPASS • SUPPLY CHAIN ATTACK • T1553.002

Situation: This is a CISO-level PostMortem on a *critical* defensive failure. APTs (Advanced Persistent Threats) are distributing the “Vidar” Infostealer by *Trojanizing* 15+ “trusted” Windows apps (like PuTTY, Slack, WinSCP). This malware is code-signed, *bypassing* your EDR (Endpoint Detection and Response) and deploying fileless backdoors.

This is a decision-grade CISO brief. This is the “Trusted Process” bypass. Your EDR is *designed* to “trust” digitally signed binaries. Attackers are *exploiting this trust* by 1) Stealing keys from legitimate software vendors, or 2) Registering fake “shell” companies to *buy* their own valid certificates. Your AV is useless. Your EDR is blind.

TL;DR — Attackers are using *signed executables* to bypass your EDR and steal all logins.

  • The TTP: “Subvert Trust Controls: Code Signing” (T1553.002). An APT (like UNC6384) uses Malvertising in Teams/Google to push a *Trojanized, code-signed* `putty.exe`.
  • The “EDR Bypass”:** Your EDR agent scans the file, sees a *valid signature* from a “trusted” Certificate Authority (CA), and *whitelists* it.
  • The Kill Chain: Phish (Malvertising) → User runs `setup.exe` (Signed Malware) → EDR *allows* it → `setup.exe` (Fileless Loader) injects Vidar Infostealer into memory.
  • The Impact: Session Hijacking (MFA Bypass)Crypto Wallet TheftData Exfiltration, and Ransomware.
  • THE ACTION: 1) HARDEN: You *must* use Application Control (WDAC/AppLocker) to create an *allowlist* of *known-good publishers*. 2) HUNT: This is the mandate. You *must* hunt for *anomalous publishers* and *post-breach behaviors*.

TTP Factbox: “Vidar” (Code-Signed) Infostealer

TTPComponentSeverityExploitabilityMitigation
T1553.002 (Code Signing)Signed Binary (`.exe`, `.dll`)CriticalBypasses EDR/AV WhitelistingAppLocker / WDAC / MDR
T1555.003 (Infostealer)Browser/Wallet DatabaseCriticalFileless (In-Memory)MDR (Hunting) / SessionShield

Critical Data BreachEDR Bypass TTPMFA Bypass TTPContents

  1. Phase 1: The “Trust” Exploit (Why Your EDR is Obsolete)
  2. Phase 2: The Kill Chain (From “Trusted” EXE to Ransomware)
  3. Exploit Chain (Engineering)
  4. Reproduction & Lab Setup (Safe)
  5. Detection & Hunting Playbook (The *New* SOC Mandate)
  6. Mitigation & Hardening (The CISO Mandate)
  7. Audit Validation (Blue-Team)
  8. Tools We Recommend (Partner Links)
  9. CyberDudeBivash Services & Apps
  10. FAQ
  11. Timeline & Credits
  12. References

Phase 1: The “Trust” Exploit (Why Your EDR is Obsolete)

As a CISO, you’ve spent millions on a “Next-Gen” EDR (Endpoint Detection and Response) stack. Your vendor promised “AI-powered protection.” Yet, this attack bypasses it completely. Why?

It’s because this attack *never uses a “virus”*. It’s a “Living off the Trusted Land” (LotL) attack that exploits your EDR’s *trust*.

1. The “Malvertising” Lure (Teams / Google)

An APT (like UNC6384) registers a shell company in a low-regulation jurisdiction: “SecureTools LLC.” They *legitimately apply for* and *buy* a $500 EV Code-Signing certificate from a *trusted* Certificate Authority (CA) like Sectigo or DigiCert. This certificate is *100% valid*.
They buy ads on Google or *inside Microsoft Teams* for “PuTTY Download” or “WinSCP Update”.

2. The “Trusted Trojan” (The “Bypass”)

The attacker wraps their “Vidar” Infostealer in a simple `setup.exe` installer. They *sign* this malware with their *valid* “SecureTools LLC” certificate.

Your user (a SysAdmin or Developer) clicks the ad and runs `setup.exe`.

Your EDR (e.g., Kaspersky, CrowdStrike) scans the file. It sees *no known signature*. It checks the *publisher*. It sees a *valid, trusted signature* chained up to a *Global Root CA*.

Your EDR *whitelists* the process. It *allows* it to run. It’s “trusted.”

Phase 2: The Kill Chain (From “Trusted” EXE to Ransomware)

This is a CISO PostMortem because the kill chain is *devastatingly* fast and *invisible* to traditional tools.

Stage 1: Initial Access (The Malvertising)

Your sysadmin, *inside Teams*, searches for “PuTTY” and clicks the first “Promoted” ad. They download the *signed* `putty_setup.exe`.

Stage 2: Defense Evasion (The “EDR Bypass”)

The user runs `putty_setup.exe`.
This is the EDR Bypass. Your EDR *allows* `putty_setup.exe` to run *because it is signed by a “trusted” publisher*.
The `putty_setup.exe` is a “loader.” It *decrypts* the *real* payload (the Vidar Infostealer) *into its own memory*.

Stage 3: C2 & Collection (The “Infosteal”)

Your EDR is now 100% blind. The *malicious code* is running *inside* the “trusted” `putty_setup.exe` process.
This process *scrapes* the entire user profile for:

  • All `chrome://settings/passwords` (incl. personal bank, corporate logins)
  • All `chrome://settings/payments` (all corporate/personal credit cards)
  • All *active session cookies* for M365, Salesforce, Google, etc. (This is the MFA Bypass!)
  • All developer *secrets* (e.g., `~/.aws/credentials`, `~/.ssh/id_rsa`, `.env` files)
  • All *crypto wallets* (`wallet.dat`).

It then makes a “trusted” HTTPS connection to an attacker’s C2 server and exfiltrates this data.

Stage 4: Data Exfiltration & Ransomware

The attacker now has your *admin’s* M365 session and AWS keys. They *log in as the admin*, pivot to your Domain Controller, and deploy ransomware. Game over.

Exploit Chain (Engineering)

This is a “Subvert Trust Controls” TTP (T1553.002). The “exploit” is a *logic* flaw in your EDR Whitelisting policy.

  • Trigger: User clicks a malicious link from Malvertising (Teams, Google).
  • Precondition: EDR/AV is configured to *automatically trust* all binaries with a *valid, signed* certificate.
  • Sink (The Breach): `setup.exe` (Signed by “SecureTools LLC”) → EDR *allows* → `setup.exe` *decrypts/loads* Vidar Infostealer *in-memory*.
  • Module/Build: `setup.exe` (Signed Loader) → `powershell.exe -e …` (Lateral Movement)
  • Patch Delta: There is no “patch.” The “fix” is Application Control (WDAC) to *only* allow *your* known publishers.

Reproduction & Lab Setup (Safe)

You *must* test your EDR’s visibility for this TTP.

  • Harness/Target: A sandboxed Windows 11 VM with your standard EDR agent installed.
  • Test: 1) Use any *legitimate, signed* but *uncommon* installer for a tool (e.g., a free text editor). 2) Use your EDR console to watch what happens when it runs.
  • Result: Did your EDR fire a P1 (Critical) alert? Or did it *silently allow* it because it was signed? If it was silent, *your EDR is blind* to this TTP.
  • Service Note: This is a *basic* test. Our Red Team will *use this exact TTP* with a *real* C2 beacon to prove your EDR is blind.
    Book an Adversary Simulation (Red Team) →

Detection & Hunting Playbook (The *New* SOC Mandate)

Your SOC *must* hunt for this. Your SIEM/EDR is blind to the exploit itself; it can *only* see the *result*. This is your playbook.

  • Hunt TTP 1 (The #1 IOC): “Anomalous Publisher.” This is your P1 alert. You *must* hunt for *new and rare* publishers in your environment.# EDR / SIEM Hunt Query (Pseudocode) SELECT process_name, publisher, count(*) FROM process_events WHERE publisher NOT IN (‘Microsoft Corporation’, ‘Google LLC’, ‘Kaspersky Lab’, ‘[Your Corp Name]’) GROUP BY publisher ORDER BY count(*) ASC
  • Hunt TTP 2 (The C2): “Show me all *network connections* from *any signed process* (like `setup.exe`) to a *newly-registered domain* or *anomalous IP*.”
  • Hunt TT 3 (The Pivot): “Show me a *signed process* (like `setup.exe`) *spawning* `powershell.exe` or `cmd.exe`.” This is *always* suspicious.

Mitigation & Hardening (The CISO Mandate)

This is a DevSecOps and Zero-Trust failure. This is the fix.

  • 1. HARDEN (The *Real* Fix): This is your CISO mandate. Application Control (WDAC/AppLocker). You *must* move from a “blocklist” (what’s bad) to an “allowlist” (what’s *known good*). Create a GPO that *only* allows *your* known-good publishers (e.g., “Microsoft,” “Google,” “Cisco”). This *kills* the “SecureTools LLC” TTP, as it’s *not* on your list.
  • 2. HUNT (The “MDR” Fix): You *cannot* run a 9-to-5 SOC. You *must* have a 24/7 human-led MDR team (like ours) to hunt for the *behavioral* TTPs (like Hunt TTP 1) that your EDR will log but *not* alert on.
  • 3. TRAIN (The “Human” Fix): Train your employees (with Edureka) to *distrust* all installers, *even if* they look “safe.”

Audit Validation (Blue-Team)

Run this *today*. This is not a “patch”; it’s an *audit*.

# 1. Audit your "Publisher" logs (Hunt TTP 1)
# Do you *have* this telemetry? If not, your EDR is misconfigured.

# 2. Audit your AppLocker/WDAC policy
Get-AppLockerPolicy -Effective -Xml > policy.xml
# Now, *read the policy*. Is it in "Enforce" mode, or "Audit" (useless) mode?
# Does it *only* allow *your* trusted publishers?

If your policy is not in “Enforce” mode, you are *vulnerable*. Call our team.

Is Your EDR Blind to “Trusted” Malware?
Your EDR is whitelisted. Your SOC is asleep. CyberDudeBivash is the leader in Ransomware Defense. We are offering a Free 30-Minute Ransomware Readiness Assessment to show you the *exact* gaps in your “Trusted Process” and “Fileless Malware” defenses.

Book Your FREE 30-Min Assessment Now →

Recommended by CyberDudeBivash (Partner Links)

You need a layered defense. Here’s our vetted stack for this specific threat.

Kaspersky EDR
This is your *sensor*. It’s the #1 tool for providing the behavioral telemetry (process chains, network data, *publisher info*) that your *human* MDR team needs to hunt.Edureka — DevSecOps Training
Train your SOC team *now* on Windows Hardening (WDAC) and Threat Hunting TTPs.TurboVPN
Secure your admin access. Your RDP/SSH access for *your admins* should be locked down.

Alibaba Cloud (VDI)
A key mitigation. Use Virtual Desktops (VDI). If the VDI is popped, you *burn it* and re-image in seconds. The host is safe.AliExpress (Hardware Keys)
*Mandate* this for all Domain Admins. Get FIDO2/YubiKey-compatible keys. They stop the *initial phish* from succeeding.Rewardful
Run a bug bounty program. Pay white-hats to find flaws *before* APTs do.

CyberDudeBivash Services & Apps

We don’t just report on these threats. We hunt them. We are the “human-in-the-loop” that your automated EDR is missing.

  • Managed Detection & Response (MDR): This is the *solution*. Our 24/7 SOC team becomes your Threat Hunters, watching your EDR logs for these *exact* “Anomalous Publisher” TTPs.
  • Adversary Simulation (Red Team): This is the *proof*. We will *simulate* this EDR bypass kill chain to show you where you are blind.
  • Emergency Incident Response (IR): You found this TTP? Call us. Our 24/7 team will hunt the attacker and eradicate them.
  • PhishRadar AI — Stops the phishing attacks that *initiate* the breach.
  • SessionShield — Protects your *admin sessions* from the *credential theft* that happens after this breach.

Book Your FREE 30-Min AssessmentExplore 24/7 MDR ServicesSubscribe to ThreatWire

FAQ

Q: What is a “Code Signing” Attack?
A: It’s an EDR bypass TTP. An attacker “signs” their malware with a *valid* (but stolen or fraudulently obtained) digital certificate. Your EDR/AV is *whitelisted* to “trust” all signed code, so it *allows* the malware to run without inspection. The “trusted” process then runs a fileless payload in memory.

Q: My EDR has “AI.” Am I safe?
A: No. Not automatically. Your AI is only as good as its configuration. If it’s configured to “trust all signed executables,” it will *miss this*. This attack is designed to *exploit* that trust. You *must* have a *human* MDR team hunting for the *behavioral* anomalies.

Q: How do I hunt for this?
A: You need a behavioral EDR (like Kaspersky). The #1 hunt query is: “Show me all *new* or *rare* ‘Publisher’ names in my environment.” Your *second* query is: “Show me any *signed process* (like `setup.exe`) spawning `powershell.exe`.”

Q: What’s the #1 action to take *today*?
A: HARDEN. Deploy Windows Defender Application Control (WDAC) or AppLocker, even in *Audit Mode* first. You *must* move to an “allowlist” model that only trusts *your* known publishers (Microsoft, Google, Adobe, etc.), not *all* publishers.

Timeline & Credits

This “Trusted Publisher” TTP (T1553.002) is an active, ongoing campaign by multiple APTs.
Credit: This analysis is based on active Incident Response engagements by the CyberDudeBivash threat hunting team.

References

Affiliate Disclosure: We may earn commissions from partner links at no extra cost to you. These are tools we use and trust. Opinions are independent.

CyberDudeBivash — Global Cybersecurity Apps, Services & Threat Intelligence.

cyberdudebivash.com · cyberbivash.blogspot.com · cryptobivash.code.blog

#CodeSigning #EDRBypass #APT #Ransomware #FilelessMalware #LotL #CyberDudeBivash #IncidentResponse #MDR #ThreatHunting #CISO #Vidar

Leave a comment

Design a site like this with WordPress.com
Get started