Vidar info-stealing malware spreads via 1,300 domains impersonating AnyDesk site

Attackers are spreading Vidar information stealing malware using 1,300 domains impersonating AnyDesk official site. The malicious activity was uncovered by SEKOLA threat analyst crep1x. Crep1x shared the complete list of the malicious hostnames all of which linked to the same IP address of 185.149.120[.]9.

The malicious hostnames include typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and others.

According to the researcher, the cloned sites pretended to be an installer for the AnyDesk software, and they were distributing a ZIP file named ‘’ The installer then installs Vidar stealer instead of installing the remote access software.

After installation, the malware steals victims’ browser history, account credentials, saved passwords, cryptocurrency wallet data, banking information, and other sensitive data. The data will then be sent back to the attackers who could use it for other malicious activities.

To avoid clicking on promoted results (ads) in Google Search, users are advised to bookmark the sites they use for downloading software. They are also advised to find the official URL of a software project from their Wikipedia page or their OS’s package manager.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web