Hundreds of GitHub repositories seemingly offering “free game cheats” deliver malware, including the Vidar infostealer, Acronis Threat Research Unit (TRU) has found.
While the identified malicious repositories already target “virtually every major online game title,” the security researchers estimate the true number “could be in the thousands”, they warned in a report published on March 17.
They also found Reddit posts mentioning and promoting a game cheat for Counter-Strike 2 leading to a fake website that encourages the user to download and install Vidar 2.0.
The campaigns delivering the infostealer start, like most typical cheat campaigns, in Discord chat rooms or Reddit communities dedicated to cheating in specific online games, said Acronis TRU.
“In their simplest form, campaigns take the shape of an offer for a ‘free’ cheating tool,” the researchers wrote.
The targeted users become “the perfect victims” as they are willingly looking for software that operates outside legitimate channels. Therefore, they expect the software to behave in ways that might trigger security warnings and they have strong incentive not to report any suspicious activity to authorities.
Moreover, the researchers noted that cheats typically require deep system access, making it easier for malicious actors to lure users into installing malware that bypasses traditional defenses.
GitHub Repository Distribution Chain
Several fake GitHub repositories identified by the researchers distribute the Vidar 2.0 infostealer variant masking as game cheats or hardware ID ban bypass software.
In this campaign, it lures the victim to download the software named TempSpoofer.exe, Monotone.exe or CFXBypass.exe.
These first-stage payloads, disguised as game cheats, are PowerShell scripts compiled into .NET executables using PS2EXE, allowing them to bypass basic script-based detections while appearing as legitimate applications.
The PowerShell loader then executes a multi-stage infection process:
- Defender evasion: adds an exclusion to Windows Defender for an attacker-controlled directory, preventing scanning of subsequent malicious payloads
- Command-and-control (C2) communication: retrieves a secondary payload URL from a hard-coded Pastebin link, which points to a GitHub-hosted executable
- Payload delivery: creates a hidden directory in %AppData%, adds it to Defender’s exclusion list, and downloads background.exe (a Themida-packed Vidar Stealer 2.0).
- Execution and privilege escalation: verifies the file’s integrity (MZ header check), hides it from the user, and attempts to elevate privileges via runas
- Persistence: establishes a scheduled task (SystemBackgroundUpdate) to run at logon with elevated privileges
The Vidar Stealer 2.0 payload then:
- Creates a directory in %ProgramData% to store stolen data
- Exfiltrates data to C2 servers masked via Telegram and Steam dead-drop resolvers (e.g., hxxps://telegram[.]me/bul33bt, hxxps://steamcommunity[.]com/profiles/76561198765046918)
Reddit Distribution Chain
In another campaign, attackers spread Vidar 2.0 through Reddit posts advertizing fake Counter-Strike 2 game cheats, redirecting victims to a malicious website that delivers EzFrags_Private.zip.
The archive contains a self-extracting (SFX) executable with an invalid digital signature, raising suspicion.
Upon execution, the loader extracts an embedded cabinet archive and runs a command to process Perfume.mdb, a script obfuscated with randomized variable names to hinder analysis.
The script then creates a directory (123043) and assembles Typically.com, a compiled AutoIt interpreter, by stitching together file fragments. It then builds the Vidar 2.0 payload from multiple .mdb files and executes it via AutoIt.
The final payload connects to the same C2 infrastructure seen in prior campaigns, suggesting the same threat actor or group is behind both operations.
Vidar 2.0: A Stealthier, More Powerful Infostealer
The real novelty in the campaigns detected by Acronis TRU is the delivery of Vidar 2.0.
Vidar is an infostealer capable of extracting browser credentials, cookies and autofill data, as well as Azure tokens, cryptocurrency wallets, FTP/SSH credentials, Telegram, Discord and local files.
According to the researchers, Vidar 2.0 represents a significant technical evolution from the first version of the infostealer, with enhanced capabilities including:
- Polymorphic builds and multithreaded execution that improve speed and evade static detection
- Advanced obfuscation, debugger detection, timing checks and virtual machine detection that hinder analysis
- C2 infrastructure hidden via Telegram bots and Steam profiles as dead drop resolvers
“Taken together, these capabilities make Vidar 2.0 a powerful and stealthy threat, often completing its mission before victims are aware anything is wrong, and well before stolen data can be recovered or invalidated,” the researchers highlighted.
The latest version of the Vidar Sealer has risen in adoption after law enforcement actions against two of the most prominent infostealers, Lumma and Rhadamanthys.
“This demonstrates how enforcement action reshapes the threat landscape: criminal demand simply migrates, and defenders must remain vigilant and informed,” the researchers concluded.
