Vidar malware now hides payloads in JPEG and TXT files to avoid detection
6 min. read 
Published on
Vidar infostealer has gained a stealthier infection chain in 2026, with researchers finding that newer samples can hide second-stage payloads inside normal-looking JPEG and TXT files. The goal is simple: make malicious traffic and payload delivery look less suspicious to users and security tools.
Point Wild’s Lat61 Threat Intelligence Team says the campaign combines a Go-based dropper, VBScript, PowerShell, RegAsm.exe, and in-memory execution. Instead of dropping a normal executable payload right away, the malware retrieves staged content from image and text files, decodes it, and runs it inside memory.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That makes the latest Vidar activity more difficult to catch with simple file-based scanning. Security teams need to watch the full behavior chain, including suspicious script execution, direct IP downloads, unusual JPEG or TXT retrieval, and RegAsm.exe abuse.
How the new Vidar chain works
Point Wild’s analysis says the infection begins with a Go-compiled dropper. That loader deploys a VBScript file, which then builds an obfuscated PowerShell command and continues the attack.
The PowerShell stage connects to a remote IP address and downloads a file disguised as a JPEG. Researchers identified the IP address as 62.60.226.200, with one staged file named 160066.jpg. The file looks harmless, but it carries embedded Base64 data between custom markers.
After that, the malware extracts the hidden content, cleans and decodes it, and reflectively loads a .NET stage without saving the decoded payload to disk. Point Wild says the chain then abuses RegAsm.exe as an execution proxy, which helps the malware blend into trusted Windows activity.
Why JPEG and TXT files matter
JPEG and TXT files usually do not look dangerous at first glance. Many tools, proxies, and users treat them as ordinary web content, which gives attackers a useful disguise.
In this campaign, the files work as carriers rather than normal documents or pictures. The JPEG and TXT content contains encoded payload data that the malware reconstructs during runtime. SOC Prime’s summary of the Point Wild report says the embedded payloads are extracted, decoded, and executed directly in memory through RegAsm.exe.
The TXT stage also adds another layer of obfuscation. Reports describe reversed strings and modified Base64 content, which forces the malware to rearrange and clean the data before execution. This slows down automated analysis and makes static detection harder.
At a glance
| Item | What current reporting shows |
|---|---|
| Malware family | Vidar infostealer |
| Main change | Payloads hidden inside JPEG and TXT files |
| Initial loader | Go-compiled dropper |
| Script stages | VBScript and PowerShell |
| Windows tools abused | WScript, PowerShell, RegAsm.exe |
| Payload method | Base64 extraction, decoding, reflective loading |
| Known IP in report | 62.60.226.200 |
| Example JPEG file | 160066.jpg |
| Main target data | Browser data, credentials, crypto wallets, extensions |
| Main risk | Fileless execution and reduced disk-based detection |
How victims are being tricked
The latest Vidar campaigns rely heavily on social engineering. Point Wild says attackers use fake GitHub repositories, compromised WordPress websites, fake CAPTCHA or ClickFix pages, and gaming-related lures to push users into running the initial payload.
ClickFix pages are especially dangerous because they ask users to copy and run commands under the fake promise of verification. Once the user runs the command, Windows-native tools can start the malware chain without needing a traditional exploit.
Gaming communities also remain attractive targets. HackRead reported that fake game cheat lures on platforms such as Reddit and Discord can lead users toward malicious downloads, which fits Vidar’s wider focus on social engineering rather than pure vulnerability exploitation.
What Vidar tries to steal
Vidar remains an information stealer at its core. The newer chain changes delivery and execution, but the final goal still centers on collecting valuable user data.
The campaign can target browser information, session data, credentials, and cryptocurrency-related data. HackRead reports that this version can target more than 200 browser extensions on Chrome and Edge, including crypto wallet and account-related data.
That puts both home users and businesses at risk. A stolen browser session can give attackers access to email, cloud dashboards, admin panels, banking portals, and work apps without needing the original password again.
Why defenders may miss it
This Vidar chain uses several techniques that make it harder to detect. It does not simply place one obvious malicious executable on disk and run it.
The attack uses trusted Windows components such as WScript, PowerShell, and RegAsm.exe. It also uses layered obfuscation, encoded content, direct IP-based delivery, and reflective loading. Point Wild says this lets the malware keep a low profile while moving through multiple stages.
SOC Prime says defenders should focus on early VBS and PowerShell behavior, suspicious RegAsm.exe activity, JPEG or TXT retrieval from the malicious IP, and recognizable Base64 marker patterns. Behavior-based detection matters more here than only scanning downloaded files.
What security teams should monitor
WScript.exelaunching PowerShell.- PowerShell running with hidden windows or obfuscated commands.
- Downloads of JPEG or TXT files from direct IP addresses.
- Network traffic to
62.60.226.200. - Unexpected use of
RegAsm.exe. - Base64 markers or reversed Base64-like strings in downloaded files.
- Startup folder changes or suspicious persistence scripts.
- Telegram or Cloudflare-fronted command-and-control traffic.
- Browser extension data access after suspicious script activity.
Why this matters for businesses
For companies, Vidar’s new chain creates a practical detection problem. Many endpoint tools can flag obvious malware, but this campaign breaks the attack into smaller steps that look less suspicious on their own.
A JPEG download may not look dangerous. PowerShell may appear in normal admin work. RegAsm.exe is a legitimate Microsoft utility. The risk appears when all of these pieces connect in sequence.
That is why teams should correlate events instead of treating each alert separately. A user running a strange script, followed by PowerShell, a direct IP download, RegAsm.exe, and browser data access should trigger a faster investigation.
FAQ
Vidar is an information-stealing malware family that targets browser data, credentials, crypto wallets, session information, and other valuable data from infected systems.
The campaign uses JPEG and TXT files as disguised payload carriers. The malware downloads them, extracts encoded data, decodes it, and runs the next stage in memory.
No. The risk comes from malicious files designed to carry encoded payloads and from scripts that extract and run that hidden content. Normal images are not automatically dangerous.
The campaign abuses RegAsm.exe as a trusted Windows execution proxy. This helps the malware run a decoded .NET stage while blending into legitimate system activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages