Vidar Infostealer Spreads via Fake CAPTCHAs, Hides in JPEG and TXT Files

Summary

A new variant of the Vidar infostealer malware is spreading through fake CAPTCHA prompts (ClickFix pages) and trojanized GitHub repositories, using multi-stage infection chains with VBScript and PowerShell. The malware hides payloads in JPEG and TXT files via steganography, employs fileless execution techniques using trusted Windows binaries (WScript, PowerShell, RegAsm.exe), and steals data from 200+ browser extensions, crypto wallets, and credentials. Data is exfiltrated via Telegram and Cloudflare-fronted domains to evade detection.

Full text

Security MalwareVidar Infostealer Spreads via Fake CAPTCHAs, Hides in JPEG and TXT Files New version of Vidar infostealer spreads via fake CAPTCHAs, hides in JPEG and TXT files, uses fileless attacks and steals browser, crypto wallet data. byDeeba AhmedApril 27, 20263 minute read New research from the Lat61 Threat Intelligence Team at Point Wild reveals that hackers are now hiding malicious code inside everyday files like JPEG images and text documents to deploy a new version of the notorious Vidar infostealer. Vidar has, reportedly, undergone a major transformation, evolving from a simple password-stealer into a highly adaptable attack framework using a multi-stage infection chain. Different ways of tricking users- The latest trend Researchers note that scammers are now less interested in finding technical gaps and more in social engineering. More prominently, they are exploiting a recent source code leak called Claude Code, where they basically set up fake repositories on GitHub to lure developers into downloading a malicious file, thinking it as the tool’s free or unlocked version. Hackers also use Reddit and Discord to offer fake video game cheats and exploit WordPress websites to display fake CAPTCHA prompts (called ClickFix pages), which encourage users to run a specific command to verify they are human. In reality, it triggers a multi-stage infection chain. Lat61’s research is about this infection chain, which they found starts with a VBScript and PowerShell scripts leading to the deployment of a Go-compiled loader. “Building on these insights, our analysis shifts focus beyond initial compromise and into the post-exploitation phase, where the true impact of the infection unfolds. This analysis by Point Wild highlights a sophisticated, multi-stage malware campaign that leverages layered obfuscation, staged payload delivery, and trusted Windows components to achieve stealthy execution and persistence,” researchers explained in their blog post. The Hidden Image Attack What makes Vidar infostealer’s 2026 version more dangerous is its stealth. When a device gets infected, the malware uses an IP-based delivery infrastructure to download files like ‘160066.jpg’ and various TXT files from this address (62.60.226.200). These normal-looking image/text files are actually payload containers embedding Base64 data. One of the malicious JPEG images used in the campaign (Image credit: Point Wild) Additionally, the malware now uses Living-off-the-Land (LotL) techniques, which involve abusing trusted Windows binaries such as WScript, PowerShell, and RegAsm.exe to blend into normal system processes. Through steganography, it scans these files for secret markers to extract Base64-encoded data, and instead of downloading a separate virus file, it reconstructs the final Vidar payload from this hidden data. Through .NET reflective loading, the code is run directly in the computer’s memory, which makes this fileless method particularly dangerous because the malicious code is never stored on the hard drive, so it avoids detection by most security scanners. Widespread Data Theft The final goal is obviously data exfiltration. This version can steal data from 200+ browser extensions on Google Chrome and Microsoft Edge, and specifically targets crypto wallets, login credentials, and session data to give hackers access to private accounts. The stolen data is sent back to the attackers’ server via Telegram and Cloudflare-fronted domains as it helps them keep their tracks hidden. Attack Chain (Credit: Point Wild) Dr. Zulfikar Ramzan, head of the Lat61 Threat Intelligence Team, explained that using image files as “covert carriers” is a clever move to make the attack look like normal web traffic. “Threat actors weaponized the recent Claude Code leak by seeding fake GitHub repositories with trojanized tools that delivered Vidar infostealer. What’s notable here is the evolution of the payload delivery through steganographic techniques such as using JPEG and TXT files as covert carriers and executing everything in memory to thwart forensics.” If you are a developer or about to become one, it is advised to avoid running commands without understanding their impact or downloading files from unofficial GitHub pages or suspicious pop-up prompts. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts CaptchaCyber AttackCybersecurityInfostealerJPEGMalwareVidarWindows Leave a Reply Cancel reply View Comments (0) Related Posts Security Malware BASHLITE malware turning millions of Linux Based IoT Devices into DDoS botnet Researchers have exposed millions of Linux-based IoT devices infected with BASHLITE malware — Lizard Squad and PoodleCorp have already released… byWaqas Hacking News Anonymous Security Anonymous & its affiliates hacked 90% of Russian misconfigured databases A new report reveals that since the Russian attack on Ukraine, Anonymous and its affiliate groups have compromised… byWaqas Read More Security Xerox Versalink Printers Vulnerabilities Could Let Hackers Steal Credentials Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update… byDeeba Ahmed Read More Security Malware News AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs Undetected for Over 11 Months, AsyncRAT Lurked on Systems of Sensitive US Agencies with Critical Infrastructures, reports the… byDeeba Ahmed

Indicators of Compromise

• ip — 62.60.226.200
• malware — Vidar infostealer
• malware — ClickFix

Entities