Threat actors are leveraging malvertising campaigns to deliver Vidar infostealer to small and medium-sized businesses. The operation uses deceptive advertisements promoting cracked or pirated software as entry points, bundling Vidar with cryptomining malware in a dual-payload attack.

Vidar functions as an infostealer, capable of harvesting credentials, browser data, cryptocurrency wallet information, and other sensitive files from infected systems. The addition of cryptomining capabilities means compromised machines experience both data exfiltration and resource consumption. SMBs face a compounded threat. They lose sensitive business data and employee credentials while their hardware degrades under the computational burden of unwanted cryptocurrency mining operations.

The attack chain relies on social engineering. Employees searching for cost-saving software solutions encounter malicious advertisements appearing legitimate. These ads redirect victims to download trojaned installers bundling both Vidar and the cryptomining component. Once executed, the malware establishes persistence and begins operating in the background.

The targeting of SMBs reflects a deliberate business model choice by the financially motivated operators. Smaller organizations typically maintain fewer security layers than enterprises. They employ fewer security analysts, run less mature endpoint detection systems, and often lack robust network monitoring. This makes SMBs profitable targets despite handling smaller datasets individually.

Organizations should block known malvertising domains and implement DNS filtering to prevent access to compromised advertising networks. Endpoint detection and response tools should monitor for Vidar's characteristic file enumeration patterns and registry modifications. Network monitoring should flag outbound connections to known cryptomining pools.

Employee security training proving effective here involves teaching staff to distrust software sourced outside official channels and app stores. Legitimate software vendors distribute through official websites or authorized resellers, never through suspicious advertisements. Browser security extensions blocking malicious ads provide an additional defensive layer.

The Vidar infostealer