Briefing Malware

Briefing Malware - 29/03/2022

29th of March 2022 - Winners of the 13th week : NjRAT, Redline and Emotet.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.


Threat statistics report

Publication date:


Distribution :


What's new?

Vidar (NC)

A new phishing campaign exploiting help files distributes Vidar spyware.

Based on #Trustwave blog post, a new malicious email campaign aimed at spreading the #Vidar spyware in what appears to be a compiled HTML help file from Microsoft is underway. First observed in the wild in late 2018, according #Infoblox cloud security vendor, Vidar is a variant of #Arkei infostealer. The spyware is sold in online forums.

The campaign uses a novel technique involving Microsoft Compiled #HTML help files. The help files, which use the "CHM" suffix, are packaged in an ISO with the Vidar payload in a Word document. The "CHM" file is mainly a copy of a legitimate CHM file, but it also contains #HTML application code, which silently executes the payload.

The version of the malware used for this campaign is 50.3 and synchronizes with its #C2 servers which are hosted on the Mastodon social network. Once the malware is installed on the machine and then launched, its configuration file is retrieved from #Mastodon, and then the work of the spyware begins: collects system information and password data from browsers and other applications, sends this data as a #ZIP file to C2 server, and then deletes itself on the compromised host. Other malware may be downloaded to the targeted machine.


Download the report