You guys need to look at this because it's genuinely wild how a decade-old tactic still works on modern systems and the implications are huge β€” Vidar malware is being pushed through malvertising campaigns targeting SMB users searching for cracked software, which should tell you everything about who these groups are going after. The campaign uses sites like cracked-windows70.org and getmp3safe.com to serve a fake download wrapper called auto_installer.exe that masquerades as legit tools before dropping two payloads: the Vidar infostealer plus an additional cryptominer running in the background. This isn't just about stolen passwords; every browser password, cookie, autofill entry and crypto wallet key gets scooped up while the miner slowly eats system resources β€” a double hit for data theft AND financial drain on one install. The operation is disciplined enough to use different campaign sites with consistent branding across them all so it looks professional even though it's criminal software being marketed as free tools.

What really bothers me about this story isn't just the threat actors - it's that it works because of a systemic vulnerability in how we handle pirated content and how defenders react to widely known malware families, which Dark Reading has covered before and is worth revisiting here too. The attacker group remains anonymous but they built their own set of branded sites instead of squatting on existing ones so the operation can stay live longer without being taken down quickly by automated takedown notices that often miss new infrastructure. For SMBs this means a single employee downloading "free" software can compromise corporate credentials, session cookies and financial accounts in one move because those are all stored right in their local browser profile. I'd also point you toward the older Dark Reading coverage on Vidar to see how many times the industry has warned about these exact mechanisms over years without much changing at the organizational level β€” check both links out because they explain different layers of why this keeps happening again and again.

Source: https://www.darkreading.com/cyberattacks-data-breaches/vidar-infostealer-smb-malvertising-campaign
Also see: https://www.virustotal.com