Malware , Security Operations Vidar infostealer evolves, uses image files for stealthy attacks April 28, 2026 Share By SC Staff Per HackRead, hackers are embedding malicious code within everyday files like JPEG images and text documents to deploy a new version of the Vidar infostealer. The malware has transformed from a simple password stealer into an adaptable attack framework utilizing a multi-stage infection chain. The latest Vidar campaign leverages social engineering, exploiting a recent Claude Code leak by setting up fake GitHub repositories. Developers are lured into downloading trojanized versions of the tool. Attackers also use Reddit, Discord, and compromised WordPress sites to trick users into running malicious commands disguised as game cheats or CAPTCHA verifications. The infection chain begins with VBScript and PowerShell, leading to a Go-compiled loader. The malware uses steganography to hide Base64-encoded data within seemingly normal JPEG and TXT files, reconstructing the Vidar payload in memory. It employs living-off-the-land techniques, abusing Windows binaries like WScript and PowerShell for stealth. This fileless approach evades most security scanners. The infostealer targets credentials, crypto wallets, and session data from over 200 browser extensions, exfiltrating the stolen information via Telegram and Cloudflare-fronted domains to conceal attacker activity. Source: HackRead SC Staff Related Threat Management GlassWorm attackers activate new ‘sleeper’ extensions on Open VSX Laura French April 28, 2026 A new cluster of 73 extensions impersonating legitimate projects has been tied to the GlassWorm campaign. Malware Tropic Trooper targets Chinese speakers with SumatraPDF trojan and VS Code tunnels SC Staff April 27, 2026 The campaign, attributed with high confidence to the persistent threat group Tropic Trooper, utilizes a custom AdaptixC2 Beacon listener with GitHub as its command-and-control platform, according to Zscaler ThreatLabz. Malware Fast16 malware: Pre-Stuxnet sabotage tool discovered SC Staff April 27, 2026 Fast16, referenced in a 2005 ShadowBrokers leak of NSA tools, utilized a Lua 5.0 virtual machine embedded within a service binary, "svcmgmt.exe," which controlled a kernel driver named "fast16.sys." Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware Blue Team Cold Warm Hot Disaster Recovery Site Countermeasure Cron Daemon Disaster Recovery Plan (DRP) You can skip this ad in 5 seconds