ACCORDING to Acronis TRU, hundreds of GitHub repositories offering “free game cheats” deliver malware, including Vidar Stealer 2.0, with researchers noting the true number could be in the thousands. The campaigns also spread via Reddit, promoting a Counter-Strike 2 cheat that leads to a fake website delivering Vidar 2.0, and start in Discord or Reddit gaming-cheat communities.
The campaign uses fake first-stage payloads such as TempSpoofer[.]exe, Monotone[.]exe or CFXBypass[.]exe, disguised as game cheats, with a PowerShell loader converting them into .NET executables to bypass basic detections. The loader then downloads a second payload and finally the Vidar 2.0 infostealer, which exfiltrates data to C2 servers masked by Telegram and Steam dead-drop resolvers.
Vidar 2.0 is described as a stealthier, more powerful infostealer capable of harvesting browser credentials, cookies, autofill data, Azure tokens, cryptocurrency wallets and other sensitive information, with the researchers noting its enhanced obfuscation and anti-analysis features.