Malware authors are increasingly using multi-stage delivery techniques to evade detection, blending malicious payloads into seemingly harmless file formats.
New reporting from Cybersecurity News reveals that Vidar is delivering its payload through JPEG and TXT files while leveraging scripting, obfuscation, and in-memory execution to remain undetected.
The campaign combines multiple evasion layers, making it difficult for traditional security tools to identify the threat early.
How the Attack Works
According to the report, the infection follows a detailed staged execution chain:
Initial Entry via Go-Based Dropper The attack begins with a Go-compiled dropper binary, which helps evade detection since Go is not commonly associated with malware.
VBScript Deployment in Temp Folder Once executed, the dropper places a VBScript file named ewccbqtllunx.vbs into the Windows Temp folder.
Sandbox Detection Check The VBScript checks if the system is running in a sandbox environment.
If a sandbox is detected, execution stops immediately
If not, the attack proceeds
Obfuscated PowerShell Execution The script constructs an obfuscated PowerShell command and runs it in a hidden window, avoiding user visibility.
First Payload Retrieval (JPEG File) The PowerShell script connects to a remote IP address 62.60.226.200 over TLS 1.2 and downloads a file named 160066.jpg.
Hidden Payload Extraction from Image The JPEG file contains a Base64-encoded payload hidden between markers BASE64_START and BASE64_END.
The malware locates these markers
Extracts the encoded content
Decodes it in memory
Loads it as a .NET assembly without writing to disk
Second Payload Retrieval (TXT File) A second request downloads KGVn4OY.txt from the same server.
The file contains reversed and obfuscated Base64 data
The malware reverses the string
Removes junk characters
Decodes the payload
Executes it entirely in memory
Final Payload Execution The final stage delivers a 64-bit C++ executable, protected by a crypter.
It resolves Windows API calls at runtime
This helps evade detection mechanisms
This entire chain ensures that payloads are never directly written as obvious executables, significantly reducing detection opportunities.
Why These Attacks Are Hard to Detect
This campaign combines multiple evasion techniques:
Go-based dropper avoids common detection signatures
Sandbox detection prevents automated analysis
PowerShell execution is obfuscated and hidden
Payloads are disguised inside JPEG and TXT files
All major payloads are executed in memory
No clear malicious binaries are written to disk
These techniques allow the malware to bypass traditional signature-based and file-scanning defenses.
The Shift Toward Multi-Layered Evasion
This attack demonstrates a clear evolution in malware design. Instead of relying on a single evasion method, attackers are combining:
Uncommon programming languages
Script-based execution chains
File format abuse
In-memory payload execution
Multi-stage obfuscation
This layered approach significantly increases the likelihood of remaining undetected.
Why Seceon’s Unified Platform Changes the Outcome
Seceon detects such advanced attacks by correlating behavior across the full execution chain.
Seceon’s aiSIEM and aiXDR platform enables:
Detection of WScript spawning PowerShell processes
Identification of obfuscated PowerShell execution patterns
Monitoring of unusual activity in Temp directories
Detection of outbound connections to direct IP addresses
Correlation of multi-stage in-memory execution behavior
In addition, aiBAS360 allows organizations to simulate similar attack chains, including staged payload delivery and in-memory execution, helping validate whether such threats would be detected before impact.
By connecting these signals, Seceon identifies the attack even when individual components appear legitimate.
Final Thoughts
The Vidar campaign highlights how modern malware is designed to evade detection at every stage.
By combining scripting, obfuscation, hidden payload delivery, and in-memory execution, attackers significantly reduce their visibility.
For organizations, the challenge is no longer just detecting malicious files. It is identifying the sequence of behaviors that indicate an attack in progress.
In today’s threat landscape, understanding how attacks unfold is critical to stopping them early.
