The Evolution of ClickFix: From Cleartext to Server Side Polymorphism

The ClickFix campaign has evolved from basic disk-based infections to sophisticated, obfuscated attacks using fake CAPTCHA pages that trick victims into executing malicious PowerShell commands. Initial variants used cleartext commands downloading batch scripts to deploy DeerStealer InfoStealer. The campaign advanced to fileless execution using XOR encryption or Base64 compression, operating entirely in memory. The most dangerous evolution involves server-side polymorphism, where attacker infrastructure dynamically generates unique obfuscated payloads for each victim, delivering Vidar InfoStealer. Active since March 2026 with surging activity through May, the campaign utilizes approximately 4,500 live domains. Both XOR and Base64 variants execute payloads in memory, download executables from attacker infrastructure, and delete traces to evade forensics.

Pulse ID: 6a0d971608b49dfc89267777
Pulse Link: https://otx.alienvault.com/pulse/6a0d971608b49dfc89267777
Pulse Author: AlienVault
Created: 2026-05-20 11:12:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #CyberSecurity #Encryption #ICS #InfoSec #InfoStealer #OTX #OpenThreatExchange #PowerShell #RAT #Vidar #bot #AlienVault

Exposing Fox Tempest: A malware-signing service operation

Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) business used by cybercriminals to distribute malicious code, including ransomware. The actor abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to evade security controls. Fox Tempest created over a thousand certificates and established hundreds of Azure tenants to support operations. Microsoft revoked over one thousand certificates and disrupted the service in May 2026 through the Digital Crimes Unit. The operation enabled ransomware deployment including Rhysida by threat actors like Vanilla Tempest, and distributed malware families including Oyster, Lumma Stealer, and Vidar. The MSaaS was available through signspace[.]cloud, charging between $5000-$9000 USD. Attacks impacted healthcare, education, government, and financial services sectors globally.

Pulse ID: 6a0ca3690196d40952527b96
Pulse Link: https://otx.alienvault.com/pulse/6a0ca3690196d40952527b96
Pulse Author: AlienVault
Created: 2026-05-19 17:52:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #Cloud #CyberSecurity #Education #Government #Healthcare #InfoSec #LummaStealer #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RansomWare #Rhysida #Vidar #bot #AlienVault

Vidar v1.5 in Go: same family, new language, heavy sandbox checks

Pulse ID: 6a0bf42ce58cd13d0e923a48
Pulse Link: https://otx.alienvault.com/pulse/6a0bf42ce58cd13d0e923a48
Pulse Author: Tr1sa111
Created: 2026-05-19 05:25:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #Vidar #bot #Tr1sa111

Vidar v1.5 in Go: same family, new language, heavy sandbox checks

Vidar is a name most infostealer trackers know well -- an Arkei descendant that has been snatching browser credentials and crypto wallets since 2018. It usually ships as a .NET binary or a C++ PE. The v1.5 sample we pulled from Triage on May 13, 2026 is neither. It is a 7 MB Go 1.25.4 native PE with a twelve-category sandbox scoring system, dead-drop C2 via Telegram and Steam profile pages, and enough crypto primitives to make a librarian blush.

Pulse ID: 6a0b62751c0e2c5b056102a8
Pulse Link: https://otx.alienvault.com/pulse/6a0b62751c0e2c5b056102a8
Pulse Author: AlienVault
Created: 2026-05-18 19:03:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #InfoSec #InfoStealer #NET #OTX #OpenThreatExchange #Steam #Telegram #Vidar #bot #AlienVault

⚠️ Overall RAT activity cooled down last week, with #AsyncRAT, #XWorm, and #Remcos all declining, while stealers like #Vidar and #Stealc continued to grow.

📌 Trend to watch: this points to a shift toward credential access and large-scale delivery activity. For defenders, that usually means higher alert volume, broader exposure, and more pressure on early-stage triage.

Expand threat visibility in your SOC: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=180526&utm_content=linktoenterprise
#cybersecurity

Vidar Infostealer Exploits Browser Cookies to Steal User Credentials

Pulse ID: 6a09a06adc722e44b1afa4cc
Pulse Link: https://otx.alienvault.com/pulse/6a09a06adc722e44b1afa4cc
Pulse Author: cryptocti
Created: 2026-05-17 11:03:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #Vidar #bot #cryptocti

New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials

Pulse ID: 6a0952a57e16da067219eda8
Pulse Link: https://otx.alienvault.com/pulse/6a0952a57e16da067219eda8
Pulse Author: cryptocti
Created: 2026-05-17 05:31:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #Vidar #bot #cryptocti

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

Pulse ID: 6a02ae6f8736a6b944d7d662
Pulse Link: https://otx.alienvault.com/pulse/6a02ae6f8736a6b944d7d662
Pulse Author: Tr1sa111
Created: 2026-05-12 04:37:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Vidar #bot #Tr1sa111

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

A sophisticated multi-stage infection chain was identified through proactive threat hunting, beginning with the execution of MicrosoftToolkit.exe, a commonly abused hack tool. The attack employed file masquerading techniques, renaming a .dot file to .bat format to evade detection. The malware performed process discovery and attempted to terminate security-related processes before extracting payloads using extract32.exe. An AutoIt-compiled executable (Replies.scr) functioned as a loader, processing an external encrypted payload file and establishing command-and-control communication with infrastructure associated with Vidar Stealer. The malware demonstrated advanced anti-analysis capabilities, including debugger detection and instrumentation callback queries. It targeted credentials, browser data, cryptocurrency wallets, and system information. Post-execution cleanup routines deleted artifacts and terminated processes to minimize forensic evidence and evade detection, significantly complicating incident res...

Pulse ID: 6a01c2382e61b490cfa457e4
Pulse Link: https://otx.alienvault.com/pulse/6a01c2382e61b490cfa457e4
Pulse Author: AlienVault
Created: 2026-05-11 11:49:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #Browser #CyberSecurity #InfoSec #Malware #Microsoft #Nim #OTX #OpenThreatExchange #RAT #Vidar #bot #cryptocurrency #AlienVault

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

Pulse ID: 6a01c03c55b2d8cb451efc11
Pulse Link: https://otx.alienvault.com/pulse/6a01c03c55b2d8cb451efc11
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:40:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Vidar #bot #CyberHunter_NL