BreakglassIntelligence
Back to reports
highStealer

Vidar-as-a-Service: Stolen Certificates, Telegram Dead Drops, and the 185.56.45.235 C2 Infrastructure

Originally shared via @BreakGlassIntel thread on 2026-04-19.

InvestigatedApril 19, 2026PublishedApril 19, 2026
vidarvaasstolencertstelegramdeaddrop

Provenance: Originally published as a thread on @BreakGlassIntel on 2026-04-19. This page reproduces the thread narrative and supporting probe artifacts for permanent reference.

Thread

We received a Go binary via MalwareBazaar signed with a *.cbsnews[.]com Authenticode certificate (Sectigo). A second variant uses a *.desmos[.]com certificate (Amazon).

Vidar stealer, compiled with garble obfuscation.

The samples use Telegram channel descriptions for C2 resolution. Two channels currently active:

https://t.co/CJQFetPovA → prc.cebolinhaburger[.]com https://t.co/fj8nJxLpAy → ask.blogdospesados[.]com[.]br

Operator updates the channel bio, infected machines follow to the new

Both C2 domains are compromised Brazilian WordPress sites on Hostinger — a restaurant and a trucking blog being used as C2 relays.

Go C2 panel at 185.56.45[.]235, self-signed cert from April 16. API-only, no web UI.

The cluster appears to run as a multi-affiliate service — 18+ subdomain identifiers across 6+ C2 domains, 100+ samples observed. Active since at least August 2025.

Similar dead-drop C2 resolution patterns showing up across unrelated operations recently — Ethereum smart contracts, Binance Smart Chain, Telegram bios, Steam profiles. Worth tracking as a technique.

Writeup with IOCs, YARA, and certificate details:

Blog: https://t.co/ufFW4EojSv

Reply or DM if you have indicators you'd like investigated.

#Vidar #Stealer #Telegram #C2 #ThreatIntel

Supporting probe artifacts

Raw output captured from the live infrastructure during the investigation.

=== c2-domains.txt ===
20262.exe
20262.rar
333.exe
3vmu33h6l.exe
6ye4dj5g.exe
845dc.exe
aasscc.how
anahi.ns
are.exe
areeus.onli
ask.blog
biolinks.com
blogdospesados.com
brd.sequ
cbsnews.com
cc.how
cebolinhaburger.com
cloudflare.com
dawn.ns
desmos.com
dgstoq.exe
dospesados.com
dspdsp.exe
etup.exe
gin.blog
gor.aass
imaster.com
inks.com
ins.aass
kernel32.dll
kevin.ns
linhaburger.com
malware.exe
mpclient.dll
mpclient.zip
nin.blog
nolan.ns
oader.exe
ountain.ai
qhl.biol
r.clou
sequareeus.onli
shurimaster.com
sje9m7f.exe
srv1017128.hstg
steamcommunity.com
t.me
telegram.me
tth.shur
uas.aass
uas.cebo
ubv2.zip
wubi1.exe

=== cert.txt ===
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            88:06:92:74:a9:1e:81:a2:79:f5:16:df:46:38:84:63
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=185.56.45.235
        Validity
            Not Before: Apr 16 09:31:10 2026 GMT
            Not After : Apr 13 09:31:10 2036 GMT
        Subject: CN=185.56.45.235
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:19:b9:85:d9:18:0e:c8:61:5f:92:e2:39:4e:00:
                    14:4b:4c:32:a2:1c:7c:c8:9b:bc:74:72:07:78:c2:
                    18:7c:51:48:3a:96:e6:97:8d:1e:83:e7:19:c0:df:
                    0f:6f:48:64:72:d0:e3:ca:e1:5f:b3:c7:dd:fb:1e:
                    ea:1b:46:63:5a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                IP Address:127.0.0.1, IP Address:185.56.45.235, IP Address:0:0:0:0:0:0:0:1, IP Address:FE80:0:0:0:BE24:11FF:FEE5:1CB5
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:20:62:de:71:a7:e2:a9:ae:8b:7a:6f:11:b8:5c:17:
        1b:b5:f6:32:7b:39:a7:e8:27:60:25:de:56:a7:ce:5a:ea:9d:
        02:21:00:f0:0e:ac:4a:61:b7:95:1d:c4:05:17:df:5b:7e:bf:
        b6:21:82:7f:b9:4b:dd:c3:55:b8:ec:fb:56:57:b2:86:67

=== nmap.txt ===
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-19 04:59 UTC
Nmap scan report for 185.56.45.235
Host is up (0.0072s latency).
Not shown: 9997 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
80/tcp  open  http     Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
443/tcp open  ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.94 seconds

=== page-http-443.txt ===
HTTP/1.0 400 Bad Request

Client sent an HTTP request to an HTTPS server.

=== resp-443--login.txt ===
404 page not found

=== resp-443--gate.php.txt ===
404 page not found
Share