Vidar Stealer 2.0 Campaign: Fake Game Cheats Flood GitHub and Reddit – A Major Threat to Gamers

Vidar Stealer 2.0 Campaign: Fake Game Cheats Flood GitHub and Reddit – A Major Threat to Gamers

Korerde Akinsanya

3/25/20263 min read

Vidar Stealer 2.0 Campaign: Fake Game Cheats Flood GitHub and Reddit – A Major Threat to Gamers


Published: March 2026In mid-March 2026, the Acronis Threat Research Unit (TRU) uncovered a large-scale malware campaign distributing Vidar Stealer 2.0, an advanced evolution of the well-known Vidar infostealer. Sold as Malware-as-a-Service (MaaS) for $130–$750, this threat has surged in popularity following law enforcement takedowns of competing stealers like Lumma and Rhadamanthys.

Threat actors created hundreds of GitHub repositories — with estimates suggesting the real number could reach the thousands, as new ones appear daily — alongside targeted Reddit posts. These lure gamers with “free” cheats for popular titles including Counter-Strike 2 (CS2), Fortnite, Call of Duty, and Valorant.

How the Campaign Works

The attack chain begins with social engineering in gaming communities on Discord, Reddit, and related forums. Users searching for free cheats encounter enticing posts and repositories that appear legitimate.

  • Malicious links are often hidden inside images or descriptions in GitHub repos.

  • Clicking leads to GitHub Pages or third-party redirect sites hosting downloads with gaming-themed names such as TempSpoofer.exe, Monotone.exe, CFXBypass.exe, or EzFrags_Private.zip.

  • Victims are instructed to disable antivirus software, extract password-protected archives, and run files with administrator privileges — steps that feel “normal” for cheat software, which often bypasses anti-cheat protections.

Two main variants have been observed:

  1. GitHub-based loader: A PowerShell script compiled to an executable (using PS2EXE). It adds Windows Defender exclusions, fetches secondary payloads from Pastebin or GitHub, drops files into hidden folders in %AppData%, runs the packed Vidar payload with elevated rights, and creates a persistence scheduled task named “SystemBackgroundUpdate” that runs at logon.

  2. Reddit SFX variant: An EzFrags_Private.zip self-extracting archive with junk data for evasion, containing VBS scripts and an AutoIt-based loader that ultimately drops and executes the Vidar stealer.

The entire process is designed to be quick and silent, completing data theft before most victims notice anything suspicious.

Vidar Stealer 2.0: A Significant Upgrade

Vidar Stealer 2.0 marks a major technical overhaul:

  • Full rewrite from C++ to pure C for improved speed, stability, and fewer detectable artifacts.

  • Automatic polymorphic morphing — each build generates unique code structures to evade signature-based detection.

  • Multithreading that dynamically adapts to system resources (CPU/memory) for faster, concurrent data stealing.

  • Heavy obfuscation, including control-flow flattening in every function.

  • Advanced anti-analysis:

    • Debugger detection (IsDebuggerPresent, CheckRemoteDebuggerPresent, etc.).

    • Timing checks (using GetTickCount and Sleep — terminates if delays suggest analysis).

    • VM detection based on RAM size.

    • Single-instance enforcement via named events.

Data theft capabilities include:

  • Browser credentials, cookies, autofill data, and history (Chromium and Firefox).

  • Advanced browser key decryption, including bypassing AppBound protections via process injection.

  • Azure tokens.

  • Cryptocurrency wallets (especially Monero keys/addresses).

  • FTP/SSH credentials (WinSCP, FileZilla).

  • Telegram and Discord tokens.

  • Steam files and gaming-related data.

  • Screenshots and files from Desktop, Documents, Downloads, Recent folders, and recursive drive searches.

  • Browser extensions and other sensitive local data.

Stolen data is stored in a randomly named directory under %ProgramData% before exfiltration.

Stealthy Exfiltration

To hide real command-and-control (C2) servers, Vidar 2.0 uses dead-drop resolvers:

  • Telegram bots (e.g., connections to telegram.me/bul33bt).

  • Steam profiles (e.g., steamcommunity.com/profiles/76561198765046918) from which C2 addresses are extracted.

This technique makes takedown and blocking significantly harder.

Targets and Impact

The primary victims are gamers, including many children and young adults seeking free cheats. These users often:

  • Download from unofficial sources.

  • Ignore or disable security warnings.

  • Hesitate to report incidents (fear of account bans or embarrassment).

Compromised gaming accounts can hold significant value — rare skins, high-level progress, in-game currency — which attackers sell on grey markets. Beyond gaming, victims risk losing banking details, crypto holdings, work credentials, and personal files.
The campaign fills the gap left by disrupted competitors, showing how quickly the malware ecosystem adapts.

Detection and Protection

Acronis TRU has released a YARA detection rule for hunting Vidar payloads and strongly recommends:

  • Using robust endpoint detection and response (EDR/XDR) solutions with behavioral analysis.

  • Avoiding unofficial downloads and “free” cheats entirely.

  • Keeping operating systems, browsers, and security software fully updated.

  • Enabling real-time antivirus and not disabling it for any reason.

  • Being extremely cautious with links from Reddit, Discord, and GitHub in gaming contexts.

Key Advice for Gamers:

  • Never run executables from untrusted sources, even if they promise performance boosts.

  • Use legitimate, paid cheat providers (if you must) only from verified vendors — but remember, cheats always carry risks.

  • Monitor accounts closely and enable two-factor authentication everywhere.

  • Educate younger players about these dangers.

Final Thoughts

This campaign highlights how threat actors continue to weaponize trusted platforms like GitHub and Reddit while targeting eager but less security-conscious users. Vidar Stealer 2.0’s combination of technical sophistication and social engineering makes it especially dangerous.

Stay vigilant. If something sounds too good to be true — especially a “free”
game cheat — it almost certainly is.

Sources & Further Reading:
Acronis TRU Official Report (March 17, 2026)
Coverage by Infosecurity Magazine, HackRead, and others.

Protect yourself — game safely and securely.