{ "Event": { "analysis": "1", "date": "2026-04-24", "extends_uuid": "", "info": "[Threat Intel] \u201cChaos is a ladder\u201d: Vidar\u2019s recent rise to the top", "protected": false, "publish_timestamp": "1779545941", "published": true, "threat_level_id": "3", "timestamp": "1779545941", "uuid": "c459c464-a61a-4a61-a0dd-c0c28dd5ffd0", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Vidar\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#17c030", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Window Discovery - T1010\"", "relationship_type": "" }, { "colour": "#cfba47", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#4edbe6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Information Discovery - T1217\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DNS Calculation - T1568.003\"", "relationship_type": "" }, { "colour": "#6b4ab5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Manipulation - T1565\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Transfer Size Limits - T1030\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Drive-by Compromise - T1189\"", "relationship_type": "" }, { "colour": "#77a4ec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Embedded Payloads - T1027.009\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#f798db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal from Tools - T1027.005\"", "relationship_type": "" }, { "colour": "#4f539c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Invalid Code Signature - T1036.001\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade File Type - T1036.008\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#ec8ba3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Password Managers - T1555.005\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Shared Modules - T1129\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777674658", "to_ids": false, "type": "link", "uuid": "33a1022c-f685-4c67-8f1f-22c7cedbaf03", "value": "https://www.intrinsec.com/en/chaos-is-a-ladder-vidar-rise-to-the-top/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777674665", "to_ids": false, "type": "link", "uuid": "e3d6e584-5059-46e7-9880-e96a20213519", "value": "https://www.intrinsec.com/wp-content/uploads/2026/04/TLP_CLEAR-20260424-New_Vidar.pdf" }, { "category": "Network activity", "comment": "Vidar dead-drop resolver found on Steam", "deleted": false, "disable_correlation": false, "timestamp": "1777767491", "to_ids": true, "type": "hostname", "uuid": "f5e92db9-cfcf-4baf-80cd-599b12ffb705", "value": "chi.botick.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Chi.botick.top", "deleted": false, "disable_correlation": false, "timestamp": "1777767513", "to_ids": true, "type": "url", "uuid": "319a70f3-7ade-4fa0-836d-b715fbdd0373", "value": "https://steamcommunity.com/profiles/7656119", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar dead-drop resolver found on Steam", "deleted": false, "disable_correlation": false, "timestamp": "1777767534", "to_ids": true, "type": "hostname", "uuid": "1c5f6548-9915-4031-b5f1-4cd6624ba7de", "value": "pre.automanpk.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar dead-drop resolver found on Steam", "deleted": false, "disable_correlation": false, "timestamp": "1777767555", "to_ids": true, "type": "hostname", "uuid": "85297566-43de-421f-b39b-d294a07f4689", "value": "wto.azl.one", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar dead-drop resolver found on Steam", "deleted": false, "disable_correlation": false, "timestamp": "1777767576", "to_ids": true, "type": "hostname", "uuid": "d541cc2c-287e-4998-9f4a-4bf85785a1ad", "value": "wto.mir-massage.kiev.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Telegram channel with dead-drop resolver in description", "deleted": false, "disable_correlation": false, "timestamp": "1777767597", "to_ids": true, "type": "url", "uuid": "15fee905-0165-496d-acb2-cdbc9dfe7da3", "value": "t.me/g2trbox", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767618", "to_ids": true, "type": "domain", "uuid": "394db995-6d06-4487-ac41-45493fb96bf7", "value": "v-new.cloud", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767639", "to_ids": true, "type": "domain", "uuid": "381c2010-fd8c-4050-aacb-86dee65c2fec", "value": "vidars.su", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767660", "to_ids": true, "type": "domain", "uuid": "c5d97f3e-0f55-4a91-933b-c73bd8bd8bb7", "value": "my-vidar.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767681", "to_ids": true, "type": "domain", "uuid": "95cb542f-b475-4797-9d94-7bb0809d1152", "value": "vidmn.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767703", "to_ids": true, "type": "domain", "uuid": "1ee3d294-ceda-4961-b737-9243102adb90", "value": "true-v.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767724", "to_ids": true, "type": "domain", "uuid": "7830e21f-2696-4aaf-bdbe-96ed53708aa1", "value": "v-tamin.lol", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767745", "to_ids": true, "type": "domain", "uuid": "942d399f-2ccd-47ea-bdb1-6afd5c525335", "value": "vidar.su", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767766", "to_ids": true, "type": "domain", "uuid": "d625385c-d059-43ae-9fbc-74f6ef2d3dc9", "value": "tech-v.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767787", "to_ids": true, "type": "domain", "uuid": "409db402-185d-4737-9b59-3c323e9d1407", "value": "getpi.su", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777767808", "to_ids": true, "type": "domain", "uuid": "62b1d86b-bbe3-4ce8-ae41-1f1ea2cb7c74", "value": "get-p.buzz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mail address used to register some Vidar domains", "deleted": false, "disable_correlation": false, "timestamp": "1777674965", "to_ids": true, "type": "email-src", "uuid": "4d1deb48-a4d7-4c84-b49e-5bc3f571eeef", "value": "denis@otmail.top" }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777767829", "to_ids": true, "type": "ip-dst", "uuid": "199f6317-521e-469f-abe4-a5e6c5731ba8", "value": "116.203.13.215", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777767850", "to_ids": true, "type": "ip-dst", "uuid": "ec0cf1d0-5e9d-43f3-868b-d961fa5293b9", "value": "65.21.58.227", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777767871", "to_ids": true, "type": "ip-dst", "uuid": "f91f5ac1-f5fc-41e8-a000-748e87e6d216", "value": "159.69.103.251", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777767892", "to_ids": true, "type": "ip-dst", "uuid": "44efce80-a401-4f5f-aec1-ace0020b27d3", "value": "95.217.233.214", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777767914", "to_ids": true, "type": "ip-dst", "uuid": "ad016194-8032-43fe-87d7-cda6eb988581", "value": "213.159.75.95", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777767935", "to_ids": true, "type": "ip-dst", "uuid": "de070271-d36d-479b-98fd-2157e14fd426", "value": "116.202.186.230", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777767956", "to_ids": true, "type": "ip-dst", "uuid": "c6765b24-4754-47f4-82df-f555ecf83d04", "value": "91.142.72.234", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777767977", "to_ids": true, "type": "ip-dst", "uuid": "5700f5cb-6e4d-404d-842b-b3bda20ed3b1", "value": "193.233.198.22", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777767998", "to_ids": true, "type": "ip-dst", "uuid": "bed2773b-fdd7-4df4-8061-b9ef00aee87a", "value": "65.109.242.143", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar infrastructur", "deleted": false, "disable_correlation": false, "timestamp": "1777768020", "to_ids": true, "type": "ip-dst", "uuid": "5970ad2f-47bb-4d84-885d-13229134ed19", "value": "95.216.181.234", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777768041", "to_ids": true, "type": "domain", "uuid": "29cd4c50-db63-415b-b401-ec5b8654eed2", "value": "grow.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "githab[.com certificate hash", "deleted": false, "disable_correlation": false, "timestamp": "1777674965", "to_ids": true, "type": "x509-fingerprint-md5", "uuid": "0d366406-fbd6-47f0-9a4f-f7a0cfc121ff", "value": "a72f693b77cbaeafea19dc3ac83a5b07" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777768063", "to_ids": true, "type": "domain", "uuid": "ea988419-54cd-486c-8778-0b44e4012164", "value": "githab.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar C2", "deleted": false, "disable_correlation": false, "timestamp": "1777768084", "to_ids": true, "type": "hostname", "uuid": "be50efbe-7352-486e-a2e7-6911ab45879f", "value": "gpu.orca-trade.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Instruction file", "deleted": false, "disable_correlation": false, "timestamp": "1777768105", "to_ids": true, "type": "url", "uuid": "8bf99438-a7c2-4386-a63b-90e879c38bdb", "value": "https://vidars.su/files/instructions/cripto_en.p", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Grow[.com certificate hash", "deleted": false, "disable_correlation": false, "timestamp": "1777675032", "to_ids": true, "type": "x509-fingerprint-sha256", "uuid": "1c969079-8101-4d1f-b215-54d951e77e9b", "value": "d586d192b0d5c050a03698753d9754ec0f5ce0b0791e0c2919a46284bf3b3c14" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777768126", "to_ids": true, "type": "hostname", "uuid": "cbdb8c64-7df6-4f41-be3b-8bb4cdb21b7e", "value": "gz.technicalprorj.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545929", "uuid": "4892f29a-c94e-4813-9743-8f276b07b333", "Attribute": [ { "category": "Payload delivery", "comment": "Vidar stealer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545929", "to_ids": true, "type": "md5", "uuid": "51f76932-8c7f-446c-8895-4f3d85c318c1", "value": "ba20d3b3c04f1b108b2456cf946aec59", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar stealer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545929", "to_ids": true, "type": "sha1", "uuid": "f416de01-706e-4063-8990-061ed72ebcbc", "value": "9b7359509e2cf0c25ae475d599463264ab3cc6b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar stealer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545929", "to_ids": true, "type": "sha256", "uuid": "78e79be2-b5e3-422e-816b-ab14278e6807", "value": "fe5c91162aeefe3d3f4cb6f48e41a5127d3b0499b668ef971e5ef5c6acb6e365", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777765684", "to_ids": true, "type": "ssdeep", "uuid": "539bf267-d4b0-4e25-ad43-43898999a7aa", "value": "49152:w0lzDorb/TUvO90dL3BmAFd4A64nsfJTukY4pk4cE1TTKJhKeIVsHPR79SIfus3I:wuG4YLmv1QRh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777765684", "to_ids": false, "type": "size-in-bytes", "uuid": "57d4382a-2a43-4327-a3c3-b700f45de0f7", "value": "8462464" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777765684", "to_ids": true, "type": "vhash", "uuid": "cfb2af1b-c03b-47c5-88cc-e1f2c723ccc3", "value": "1860b76d1555151c051d1az3218&z3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777765684", "to_ids": true, "type": "filename", "uuid": "5ae94ef9-b3ed-40a3-9aa6-db153e4378a9", "value": "oy8t3.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777765684", "to_ids": false, "type": "text", "uuid": "9bc4da99-66d7-422c-b98d-c69a280b97db", "value": "Vidar stealer\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/Vidar.SEB!MTB\nVT Total Detection:50/70\nFirst Submission:2026-01-06T04:18:59.000000+00:00\nLast Submission:2026-01-06T04:18:59.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545932", "uuid": "fb53b29b-cc0e-4e6e-aaba-7fe8919c4e1f", "Attribute": [ { "category": "Payload delivery", "comment": "Vidar build recovered from the C2 URL", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545931", "to_ids": true, "type": "md5", "uuid": "9fe81571-f88c-4852-92fb-0d4ce1f682a7", "value": "27b82c8405d4ea85b7f7588b00edbab5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar build recovered from the C2 URL", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545931", "to_ids": true, "type": "sha1", "uuid": "53f86c82-522c-4980-af6a-3bac3cc4bf79", "value": "45510adc7d15d237fc574757f34204844a3aea50", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar build recovered from the C2 URL", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545932", "to_ids": true, "type": "sha256", "uuid": "ca3ff8de-13ab-41e5-8bca-7dd1d066db9b", "value": "9a5824d71ccc9c47291536d633f4d2c3148d455c5db2f3cec656a00ac2ca33c1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777765706", "to_ids": true, "type": "ssdeep", "uuid": "70218023-cc4c-4c60-9282-d2c5ff33c56e", "value": "6144:9YFzmhNg2iBIHWSorQOmdSWazo0re736E2SZxCNre4KJRhv1BMQbSf67SEdW:9GmM2iG2SorTVfro36eZxAOJvPS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777765706", "to_ids": false, "type": "size-in-bytes", "uuid": "b086a2d0-952f-4c9f-8506-c692f8035dfa", "value": "326878" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777765706", "to_ids": true, "type": "vhash", "uuid": "788e41c8-179d-40e5-8244-0a070450cf3f", "value": "676529943961de1158d5e2ee5a67b08f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777765706", "to_ids": true, "type": "filename", "uuid": "4f6b808e-eefe-4660-8327-b8ada98b5b05", "value": "builder" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777765706", "to_ids": false, "type": "text", "uuid": "7ebc57b0-2f0f-466e-86b5-9842294c295f", "value": "Vidar build recovered from the C2 URL\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:0/64\nFirst Submission:2025-10-22T06:24:22.000000+00:00\nLast Submission:2025-10-22T06:24:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545935", "uuid": "bd11c00f-7d7f-4ee9-bcf3-b6d057fcb3e4", "Attribute": [ { "category": "Payload delivery", "comment": "Fake msedge_elf.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545934", "to_ids": true, "type": "md5", "uuid": "00cf5e40-4647-438a-848b-0025e10628d1", "value": "4f09669f0c66d1cd4c33e65cdd3bd6ab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Fake msedge_elf.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545935", "to_ids": true, "type": "sha1", "uuid": "fe46f761-e7b3-4ed0-845b-64a65a0ba829", "value": "404a6f3974ff49f1bda9f658956747577dd5bb2f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Fake msedge_elf.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545935", "to_ids": true, "type": "sha256", "uuid": "e5a0ab6d-9717-4d9a-9f3d-b7d36bf61e74", "value": "b21638e6dc0d08386d9ef2fe8f7a0e2dcfcdbbad5ab2cc7c2f773f4d96e9a3e4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777765728", "to_ids": true, "type": "ssdeep", "uuid": "4286e1e6-5b9c-44c8-b939-e5e10b4b7668", "value": "49152:rRfldIE43uFrAGizchK1bc7/bSVRrq6YMB+m7G6Qvweq+a4azof9JXm2K7qU:Z43yrMVSzSVpq6Y45ewT+avzofK2K7qU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777765728", "to_ids": false, "type": "size-in-bytes", "uuid": "5d13c1a1-2615-4eeb-bfa3-0ea25be3788e", "value": "8443904" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777765728", "to_ids": true, "type": "vhash", "uuid": "b2b46a8a-cf0d-42d3-bcbe-7840dbb6e7b3", "value": "1861375d1565151c051d1az3118&z3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777765728", "to_ids": true, "type": "filename", "uuid": "d1bb1acc-44a7-4f0e-b6ef-5fabca341186", "value": "b21638e6dc0d08386d9ef2fe8f7a0e2dcfcdbbad5ab2cc7c2f773f4d96e9a3e4.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777765728", "to_ids": false, "type": "text", "uuid": "862f0ccd-7588-4f6c-88bf-9c7c8c5b4333", "value": "Fake msedge_elf.dll\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/Vidar.AHE!MTB\nVT Total Detection:51/70\nFirst Submission:2025-12-05T17:22:24.000000+00:00\nLast Submission:2025-12-06T13:54:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545938", "uuid": "67ee74ce-f7d0-4f2c-9675-02753701bfd8", "Attribute": [ { "category": "Payload delivery", "comment": "Vidar stealer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545937", "to_ids": true, "type": "md5", "uuid": "7b2ea833-7d76-43c4-aa72-e0fb830791db", "value": "af2a22e4283ed141cf5dd1f90ff963da", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar stealer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545937", "to_ids": true, "type": "sha1", "uuid": "7e6b5038-85fd-450b-a5ac-503a35e575fb", "value": "fdecf99266fda338817c885fc1c61318243e2b3c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar stealer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545938", "to_ids": true, "type": "sha256", "uuid": "a1d79f76-bde5-4229-85f3-3bc8c1ea1c3e", "value": "a8dd417fdac8c47b8c4b0630c3dca337ce4f873cddfbe0d86576734a6bef545b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777765750", "to_ids": true, "type": "ssdeep", "uuid": "17c50db6-7b30-4a0b-87e4-0392cadda543", "value": "12288:0jmytTy/1vcRk1VxCCz4jKAzFZgBghz9JDXynKruuYffY5tvHpn:0CyNyJcRk1Os0KAzFVhbXKKruuYnytv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777765750", "to_ids": false, "type": "size-in-bytes", "uuid": "13335ca5-d265-4218-b281-e39749348b0b", "value": "613376" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777765750", "to_ids": true, "type": "vhash", "uuid": "45324e60-02ea-4082-bfc3-4c3318733ebe", "value": "0650466d1d155093z12z5chz23z61zcbz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777765750", "to_ids": true, "type": "filename", "uuid": "034f4e39-47b7-4ad6-a073-e2303d60f3ee", "value": "ze6p79v0o.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 29/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777765750", "to_ids": false, "type": "text", "uuid": "22377d91-8ccb-4308-aaf7-60eecbf4eec7", "value": "Vidar stealer\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Vidar.ATR!MTB\nVT Total Detection:47/71\nFirst Submission:2026-01-23T13:49:37.000000+00:00\nLast Submission:2026-01-23T13:49:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545940", "uuid": "ebd09459-c556-46fd-89eb-693392dae30f", "Attribute": [ { "category": "Payload delivery", "comment": "Vidar stealer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545939", "to_ids": true, "type": "md5", "uuid": "dc6541de-c077-40fb-836b-b5bb1bceeaa8", "value": "ad10d666a28650168b3723303a3a0f1d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar stealer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545940", "to_ids": true, "type": "sha1", "uuid": "8df3ee9b-95cc-4846-870e-a26a119e0bb9", "value": "d05bfc44e0a0214a38de55fb6549fc92adde4d7d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar stealer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545940", "to_ids": true, "type": "sha256", "uuid": "af74c6e1-162f-456e-968c-d804d399297a", "value": "03acfc321b897deee78c9a103e7921334fc97d9fdac944523ae3e95e5e867676", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777765772", "to_ids": true, "type": "ssdeep", "uuid": "3488da42-7a8c-48f5-988e-519f1dcc78f4", "value": "12288:2jmytTy/1vcRk1VxCCz4jKAzFZgBghz9JDXynKruuYffY5tvHpn:2CyNyJcRk1Os0KAzFVhbXKKruuYnytv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777765772", "to_ids": false, "type": "size-in-bytes", "uuid": "8b16c19d-c8b1-4bae-a170-4f2ba122f09f", "value": "819712" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777765772", "to_ids": true, "type": "vhash", "uuid": "a5756d4e-e77f-4b26-bd4b-b52c4b1d3999", "value": "0850466d1d555093z12z5chz23z61zcbz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777765772", "to_ids": true, "type": "filename", "uuid": "6b82051a-31e6-4167-8e5a-6621553faf72", "value": "payload" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777765772", "to_ids": false, "type": "text", "uuid": "fed2a4ed-e74d-48f0-8cb9-d1a0357d701c", "value": "Vidar stealer\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Vidar.ATR!MTB\nVT Total Detection:54/70\nFirst Submission:2025-10-27T12:15:02.000000+00:00\nLast Submission:2025-10-27T12:15:02.000000+00:00" } ] } ] } }