{ "Event": { "analysis": "1", "date": "2026-05-16", "extends_uuid": "", "info": "[Threat Intel] Vidar v1.5 in Go: same family, new language, heavy sandbox checks", "protected": false, "publish_timestamp": "1779596382", "published": true, "threat_level_id": "3", "timestamp": "1779596381", "uuid": "086035cf-56d1-42da-82a8-35dfa8c0e324", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Vidar\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779159619", "to_ids": false, "type": "link", "uuid": "f1bb2f8f-261b-4c80-abb1-c8e10b899756", "value": "https://www.derp.ca/research/vidar-go-sandbox-dead-drop/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1779159619", "to_ids": false, "type": "text", "uuid": "d85ca433-4c90-4afe-912f-49bb2e3072cf", "value": "Vidar is a name most infostealer trackers know well -- an Arkei descendant that has been snatching browser credentials and crypto wallets since 2018. It usually ships as a .NET binary or a C++ PE. The v1.5 sample we pulled from Triage on May 13, 2026 is neither. It is a 7 MB Go 1.25.4 native PE with a twelve-category sandbox scoring system, dead-drop C2 via Telegram and Steam profile pages, and enough crypto primitives to make a librarian blush." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1779159619", "to_ids": false, "type": "text", "uuid": "f51d73a8-7ac8-4575-87cf-dac0861c7a46", "value": "Name: Vidar v1.5 in Go: same family, new language, heavy sandbox checks\nAuthor: AlienVault\nAdversary: \nTags: [\"vidar\", \"infostealer\", \"telegram\", \"av kill\", \"sandbox\", \"win64\", \"steam\", \"botnet\", \".net\", \"crypto\"]\nTgtd countries: []\nMlwr families: [\"Vidar\"]\nAttack_ids: [\"T1497\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779596195", "to_ids": true, "type": "url", "uuid": "9a72adc0-74b2-437c-9cd7-e4c5b10a26a2", "value": "http://149.154.167.99:443", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593251", "to_ids": true, "type": "md5", "uuid": "11f93dbb-4a4c-451b-a4df-68f13c9cb272", "value": "702ef1b4007f07887e9faaee0667b50b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779596216", "to_ids": true, "type": "url", "uuid": "71d6f1e1-9957-4478-946d-7c86fdfbe2fb", "value": "http://135.181.237.59:443", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779596236", "to_ids": true, "type": "url", "uuid": "28bb19c9-863d-4ee3-b624-be342191f00a", "value": "http://142.250.151.94:80", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1779589562", "to_ids": true, "type": "ip-dst|port", "uuid": "999454a4-35b1-4b57-bf74-8a99de77c724", "value": "135.181.237.59|443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779596258", "to_ids": true, "type": "url", "uuid": "20d23a7d-345c-46de-8261-fc67db7024a5", "value": "https://telegram.me/hgo9tx", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779596278", "to_ids": true, "type": "url", "uuid": "cfc16d4a-7cc9-47f8-a1c5-50ffa1097786", "value": "https://steamcommunity.com/profiles/76561198707628078(opens", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1779589562", "to_ids": true, "type": "ip-dst|port", "uuid": "b23dbff3-3626-43f7-aa03-5cbdb46a680c", "value": "149.154.167.99|443" }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1779589562", "to_ids": true, "type": "ip-dst|port", "uuid": "1e241c13-00fb-4950-a32a-e9a34d8c8dcc", "value": "2.22.96.50|443" }, { "category": "Network activity", "comment": "On port 80", "deleted": false, "disable_correlation": false, "timestamp": "1779589562", "to_ids": true, "type": "ip-dst|port", "uuid": "ab8d7a56-2b77-44c7-a1fd-d70050a9eeb2", "value": "142.250.151.94|80" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779596299", "to_ids": true, "type": "ip-dst", "uuid": "cefc8914-a6b5-47bc-b6b0-29ba1d1bffa0", "value": "135.181.237.59", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779589562", "to_ids": false, "type": "AS", "uuid": "4604d44b-f710-41ed-9367-9dcbbde70a7f", "value": "24940" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779596321", "uuid": "c34c3d41-a883-4d9a-9285-774d22dfbe54", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:GoLandBuildPE\nIOC-description:MD5 of 488d2dd8768e3b804179e7f0cdcebd0a7eec52b3", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779596321", "to_ids": true, "type": "md5", "uuid": "26dafb9a-33b6-40dc-8313-1036c2bba70b", "value": "87332fcdf79e1c0bfb7713e9a52c0313", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:GoLandBuildPE\nIOC-description:MD5 of 488d2dd8768e3b804179e7f0cdcebd0a7eec52b3", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593249", "to_ids": true, "type": "sha1", "uuid": "7c363ec5-60b0-4708-8b0a-321297d0b13d", "value": "488d2dd8768e3b804179e7f0cdcebd0a7eec52b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:GoLandBuildPE\nIOC-description:MD5 of 488d2dd8768e3b804179e7f0cdcebd0a7eec52b3", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593249", "to_ids": true, "type": "sha256", "uuid": "1e3c0c61-62e7-476a-82cd-8bf8f2e96596", "value": "2995ffb73342453b258926ec865c724e3567eee1bb8eb35d61796ee0c4f25105", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779592781", "to_ids": true, "type": "ssdeep", "uuid": "c4f33bb3-0f9c-4080-bd49-2cb74e00c87a", "value": "49152:BL9XdcpMpduRjtE2nUWPkCaO3OeoXYH0LQcgV8O2K/8:BBJv84QF8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779592781", "to_ids": false, "type": "size-in-bytes", "uuid": "d16c5c4d-400c-4d5a-a609-ea02ebccb2c1", "value": "7211168" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779592781", "to_ids": true, "type": "vhash", "uuid": "f328c07b-f271-44e2-b890-180182b75610", "value": "076086656d15551d15545az2e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779592781", "to_ids": true, "type": "filename", "uuid": "556779dd-0d7b-4cd3-8959-fda98d0e17f8", "value": "vidar_go.bin" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 23/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779592781", "to_ids": false, "type": "text", "uuid": "f9606ab7-542b-4003-ad3f-ba83d82a133f", "value": "IOC-title:GoLandBuildPE\nIOC-description:MD5 of 488d2dd8768e3b804179e7f0cdcebd0a7eec52b3\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kepavll!rfn\nVT Total Detection:49/71\nFirst Submission:2026-05-10T05:59:52.000000+00:00\nLast Submission:2026-05-19T05:25:52.000000+00:00" } ] } ] } }