Cybercriminals spread malware through fake Windows 11 updates. These are distributed through counterfeit Microsoft portals in the form of so-called ISO files. The Vidar malware is hidden in these malicious ISOs.
The warning comes from the Zscaler ThreatLabz team. That discovered several newly registered domains by monitoring suspicious traffic in the Zscaler cloud. The fake sites are created to distribute ISO files, eventually leading to Vidar infostealer infection.
Vidar malware can retrieve the Command and Control (C2) configuration of (attack-controlled) social media channels hosted on the Telegram and Mastodon networks. Additionally, zscaler suspects that the same threat actor is actively using social engineering to impersonate popular legitimate applications, again intending to spread Vidar malware.
A GitHub repository that hosts several backdoor versions of Adobe Photoshop has also been identified. These binaries distribute Vidar malware using similar tactics that misuse social media channels for C2 communication.
The Zscaler ThreatLabz team advises users to exercise caution and only download software from official vendor websites.