New research from the Lat61 Threat Intelligence Team at Point Wild reveals that hackers are now hiding malicious code inside everyday files like JPEG images and text documents to deploy a new version of the notorious Vidar infostealer. Vidar has, reportedly, undergone a major transformation, evolving from a simple password-stealer into a highly adaptable attack framework using a multi-stage infection chain.
Different ways of tricking users- The latest trend
Researchers note that scammers are now less interested in finding technical gaps and more in social engineering. More prominently, they are exploiting a recent source code leak called Claude Code, where they basically set up fake repositories on GitHub to lure developers into downloading a malicious file, thinking it as the tool’s free or unlocked version.
Hackers also use Reddit and Discord to offer fake video game cheats and exploit WordPress websites to display fake CAPTCHA prompts (called ClickFix pages), which encourage users to run a specific command to verify they are human. In reality, it triggers a multi-stage infection chain. Lat61’s research is about this infection chain, which they found starts with a VBScript and PowerShell scripts leading to the deployment of a Go-compiled loader.
“Building on these insights, our analysis shifts focus beyond initial compromise and into the post-exploitation phase, where the true impact of the infection unfolds. This analysis by Point Wild highlights a sophisticated, multi-stage malware campaign that leverages layered obfuscation, staged payload delivery, and trusted Windows components to achieve stealthy execution and persistence,” researchers explained in their blog post.
The Hidden Image Attack
What makes Vidar infostealer’s 2026 version more dangerous is its stealth. When a device gets infected, the malware uses an IP-based delivery infrastructure to download files like ‘160066.jpg’ and various TXT files from this address (62.60.226.200). These normal-looking image/text files are actually payload containers embedding Base64 data.
One of the malicious JPEG images used in the campaign (Image credit: Point Wild)
Additionally, the malware now uses Living-off-the-Land (LotL) techniques, which involve abusing trusted Windows binaries such as WScript, PowerShell, and RegAsm.exe to blend into normal system processes. Through steganography, it scans these files for secret markers to extract Base64-encoded data, and instead of downloading a separate virus file, it reconstructs the final Vidar payload from this hidden data.
Through .NET reflective loading, the code is run directly in the computer’s memory, which makes this fileless method particularly dangerous because the malicious code is never stored on the hard drive, so it avoids detection by most security scanners.
Widespread Data Theft
The final goal is obviously data exfiltration. This version can steal data from 200+ browser extensions on Google Chrome and Microsoft Edge, and specifically targets crypto wallets, login credentials, and session data to give hackers access to private accounts.
The stolen data is sent back to the attackers’ server via Telegram and Cloudflare-fronted domains as it helps them keep their tracks hidden.
Attack Chain (Credit: Point Wild)
Dr. Zulfikar Ramzan, head of the Lat61 Threat Intelligence Team, explained that using image files as “covert carriers” is a clever move to make the attack look like normal web traffic.
“Threat actors weaponized the recent Claude Code leak by seeding fake GitHub repositories with trojanized tools that delivered Vidar infostealer. What’s notable here is the evolution of the payload delivery through steganographic techniques such as using JPEG and TXT files as covert carriers and executing everything in memory to thwart forensics.”
If you are a developer or about to become one, it is advised to avoid running commands without understanding their impact or downloading files from unofficial GitHub pages or suspicious pop-up prompts.
