A newly updated version of the Vidar infostealer, dubbed Vidar 2.0, is actively spreading through hundreds of fake game cheat repositories on GitHub and targeted posts on Reddit.
The malware disguises itself as free cheating software for popular online games, tricking gamers into downloading a powerful credential-stealing tool.
The threat of malware inside gaming software is not new. Cybercriminals have long used fake key generators and cracked tools to target gamers, and that approach has only grown.
Today, attackers systematically target nearly every major online game, including Counter-Strike 2 (CS2), Fortnite, Valorant, and Call of Duty.
Gamers seeking free cheat tools are ideal victims — they expect security warnings, have little reason to report infections, and often hold valuable digital assets tied to their accounts.
Acronis analysts identified active campaigns distributing Vidar 2.0, noting that its rise coincides with law enforcement actions that took down two dominant infostealers — Lummastealer and Rhadamanthys.
With those operations offline, cybercriminals needed a replacement, and Vidar filled the gap. Active since 2018 as a fork of the Arkei stealer, it has been in development for over seven years. Its low cost and powerful new features made it the obvious choice for threat actors.
Vidar 2.0 can steal browser credentials, cookies, autofill data, Azure tokens, cryptocurrency wallets, FTP and SSH credentials, Discord and Telegram session data, and local files.
It operates fast enough that victims rarely realize anything is wrong before their data appears in underground markets. Compromised gaming accounts are especially valuable targets, as in-game items and currency can be sold through grey markets with minimal risk to the attacker.
The campaign also shows how far threat actors have come in abusing trusted platforms. They now host landing pages on GitHub, giving their operations a credible appearance.
Reddit posts mentioning and promoting the game cheat for CS2 (Source – Acronis)
Reddit posts in active gaming communities steer users toward these fake repositories. By combining well-known platforms with targeted social engineering, attackers have built an infection pipeline that most users will not easily recognize as malicious.
The Infection Chain: How Vidar 2.0 Gets In
When a user clicks a link in a Reddit post or visits a fake GitHub page, they land on a site with installation instructions.
Fake installation walkthrough (Source – Acronis)
The walkthrough mimics a legitimate software setup, telling victims to disable antivirus, extract a password-protected archive, and run the file with administrator rights. Because cheat software often requires deep system access, many victims treat these instructions as normal.
Full infection chain (Source – Acronis)
The downloaded file is a PowerShell script compiled into a .NET binary using PS2EXE, as confirmed by the Detect It Easy (DIE) output.
Once launched, the loader adds a Windows Defender exclusion for an attacker-controlled folder, disabling security scanning for every file placed inside. It then contacts a hard-coded Pastebin URL to retrieve the next-stage payload address from GitHub.
The loader creates a randomly named, hidden folder inside the %AppData% directory and drops the final payload there as “background.exe.” Before running it, the loader checks the MZ header to verify it is a valid Windows executable.
Persistence is then set through a scheduled task named “SystemBackgroundUpdate”, configured to run automatically at every user login with elevated privileges.
The final payload is a Themida-packed Vidar 2.0 binary. Rather than using a hard-coded C2 address, it connects to Telegram bots and Steam profiles acting as dead drop resolvers.
This hides the real command-and-control (C2) infrastructure behind trusted services, making it considerably harder for security teams to track or block the operation.
Users and organizations should deploy endpoint protection or EDR tools capable of detecting unusual process chains, credential access, and data exfiltration.
All operating systems and applications must be kept up to date to address known vulnerabilities.
Execution policies should prevent software from running in non-standard paths like %AppData% or %ProgramData%, and users should be reminded to download software only from official vendor websites or verified repositories.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Vidar Stealer 2.0 Spreads Through Fake Game Cheats Promoted on GitHub and Reddit appeared first on Cyber Security News.
