The malware analysis team in Kroll’s Cyber Risk practice has observed an updated version of the Vidar malware – version 4.5 – present and active when recently working with a client to investigate suspicious activity within their network. Vidar, which originally became active in late 2018, is a family of malware that operates primarily as an information stealer and is often observed as a precursor to ransomware deployment. It enables the capture and exfiltration of data from a system, including system information, browser data, and credentials1.