article featured image


Threat actors launched a massive malware campaign that spoofs the AnyDesk site to infect endpoints with Vidar stealer. More than 1,300 domains that impersonate the official AnyDesk site were found to redirect users to a Dropbox folder that pushes information-stealing malware.

AnyDesk is used by millions of people worldwide for remote connectivity and system administration on Windows, Linux, or macOS. This is not the first time cybercriminals try to exploit AnyDesk spoofing to distribute malware, since the remote desktop app is so popular.

The Malware Campaign Explained

Cyber researchers discovered that all the hostnames resolve to the 185.149.120[.]9. IP address and made the hostnames list public.

The list of the hostnames includes typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software.

However, regardless of the name, they all lead to the same AnyDesk clone site.


After looking up pirated software and games on Google, users end up on these websites. After that, they were sent to 108 second-stage domains, which redirected them to the final 20 domains, which contained the malicious payloads.

Malicious actors exploited the Dropbox file hosting service, which is trusted by AV programs, to distribute the malware payload rather than concealing it behind redirections to avoid detection and takedowns.

They used a ZIP file under the name of ”AnyDeskDownload.zip” as a fake installer for AnyDesk software. While the victims clicked the fake sites and expected to install the remote desktop app, they were actually installing Vidar stealer instead.

Vidar is a data-stealing malware and has been around ever since 2018. It goes for all kinds of sensitive data such as account credentials, banking information, cryptocurrency wallet data, browser history, and saved passwords. Threat actors either sell the stolen data to other cybercriminals or use it to perform cyberattacks like phishing, for example.

How to Keep Safe from Vidar Malware Campaign

While some of the over 1300 counterfeit domains have been reported to the registrars and taken down, or they are blocked by your AV software, you should still be extremely cautious. Their Dropbox links were discarded after being reported to the cloud storage service, but the threat actor could revive them by simply updating the download URL to a different site. This is why cybersecurity specialists advise you to:

  • bookmark the websites you use to download software
  • don`t click on Google Search promoted results (Ads)
  • get the official URL of a software project from your OS’s package manager or the dedicated Wikipedia page

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Leave a Reply

Your email address will not be published. Required fields are marked *