Vidar Stealer, an information-stealing malware first identified in 2018, has evolved with a sophisticated new deception technique targeting cybersecurity professionals and system administrators. G Data security researchers identified an unusual Vidar Stealer sample in March 2025 that employed a particularly sophisticated deception technique. What made this discovery particularly concerning was the malware’s disguise as a legitimate Microsoft Sysinternals utility, BGInfo.exe, a widely trusted system administration tool used to display system information on desktop backgrounds. The malicious file presents itself as a February 2025 update to the legitimate BGInfo utility, complete with an expired Microsoft digital signature. Upon execution, the malware modifies the initialization routine of BGInfo.exe, specifically altering the process heap handling for future memory allocations and redirecting execution to its malicious function. The malware’s sophisticated masquerading as a trusted administrative tool highlights the evolving tactics of threat actors who increasingly target the tools and software trusted by cybersecurity professionals themselves. In February 2025, a particularly concerning incident involved the free-to-play game PirateFi released on Steam, which concealed Vidar Stealer within its files, infecting unsuspecting players upon installation. Organizations are advised to implement rigorous verification processes for all software updates, even for trusted utilities, and to monitor for anomalous system behavior, particularly when administrative tools fail to function as expected. This notorious malware, which evolved from the Arkei Trojan, has been continuously adapted to harvest sensitive data including browser cookies, stored credentials, and financial information from compromised systems. This latest evolution represents a significant escalation in stealth tactics, as the malware authors specifically targeted tools commonly used by IT professionals and security teams. The information stealer operates as Malware-as-a-Service (MaaS), readily available for purchase on dark web marketplaces, allowing cybercriminals with minimal technical expertise to deploy sophisticated attacks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. By compromising the very utilities that security teams rely on, attackers increase their chances of successful infiltration into enterprise environments where sensitive data is abundant. Dumping this binary reveals the core Vidar Stealer component with compilation date of February 3, 2025. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. While the legitimate BGInfo.exe is approximately 2.1 MB in size, the malicious variant is significantly larger at 10.2 MB due to hidden malicious code—a critical indicator that something is amiss. Technical analysis reveals that the malware employs VirtualAlloc to create virtual memory space for the next stage of its execution. The deception technique employed in this Vidar variant reveals remarkable attention to detail.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Apr 2025 15:05:14 +0000