04 May 2022
magnifying glass looking over keys of laptop

Beware of Vidar Spyware Masquerading within Microsoft

WAMS, Inc.News  

Security analysts have identified the Vidar malware as the payload in a phishing campaign that exploits Microsoft help files. Diana Lopera, researcher for Trustwave, announced on March 24, 2022 that the actors are concealing Vidar in Microsoft Compiled HTML Help (CHM) files to prevent anti-malware applications from detecting it.

Vidar is spyware written in C++ that cybercriminals can purchase on the dark web. It’s an information stealer that harvests user data from a Windows computer, including credit card and cryptocurrency accounts. Malicious actors typically deploy Vidar with phishing and spam campaigns, although researchers have also observed them distributing it through the Fallout exploit kit and PrivateLoader pay-per-install dropper.

The sophistication of phishing email campaigns varies greatly, from generic messages sent to many addresses at once to those that are highly targeted towards a particular victim. In all cases, the goal is to entice the victim into clicking on a link or attachment that will result in downloading and installing the malware on the victim’s computer.

Actors are always looking for new ways to infect host systems. Some of the most recent methods include appending botnets to email messages within a targeted organization. Actors are also propagating malware with QR codes and XLL files, which are add-in files for Microsoft Excel.

Technical Details

The email campaign that actors are using to distribute Vidar is comparatively crude, according to Trustwave. The message contains a generic subject line and an attachment named “request.doc” that’s actually an ISO disk image. This image contains two files, including a CHM file and an executable named app.exe.

The practice of naming a file with an extension that differs from the file’s actual format has been in use for decades. However, the specific use of renamed ISO files has been relatively rare until recently. One of the earliest large-scale uses of this technique occurred in 2019, when Trend Micro observed actors using ISO files as containers for malware such as LokiBot and NanoCore.

The CHM format is a proprietary format that Microsoft uses to store online documentation. It includes HTML pages, navigation tools and an index that are stored in compressed form. Microsoft’s applications normally use the CHM format for online extension files, typically help files. However, attackers can also use the Microsoft Help Viewer (hh.exe) to load malicious CHM files.

When hh.exe unpacks such a file, a JavaScript snippet executes app.exe without notifying the user. This action executes the Vidar payload, which connects to a command-and-control (C2) server controlled by the attackers. Vidar then uses Mastodon, an open-source multi-platform social networking system, to search the host computer for certain user profiles to locate the addresses for the attacker’s C2 servers. Mastodon extracts these addresses from the bio sections of the profiles, allowing Vidar to configure itself and begin harvesting user data. Vidar can also download and execute additional malware payloads.


Minimizing the risk of infection by Vidar requires that you never assume an attached file is in the format implied by its name. While you should always be cautious of email with attachments, this practice is especially important when you receive such an email from an unexpected source. In particular, you should never open an attachment from an untrusted source until you’ve independently verified the sender’s identity and email address. Ongoing training is also essential for organizations to ensure their staff remains aware of the latest phishing techniques. A secure email gateway that prevents phishing attacks from ever reaching inboxes may also be recommended, especially for organizations that attackers are specifically targeting.


We hope you found this article helpful in detecting and preventing Vidar Spyware. If you’re still unsure of the warning signs of spyware, feel free to contact with our team of experts by emailing info@wamsinc.com or calling (800) 421-7151.

Leave a Reply

Your email address will not be published.