BleepingComputer reports that threat actors have been spreading the Vidar info-stealing malware through a malicious ad for the GNU Image Manipulation Program, which redirects to a phishing website impersonating the legitimate GIMP.org website. Searching for 'GIMP' in Google until last week would yield a Google ad leading to the phishing site, which facilitates the delivery of a malicious executable 'Setup.exe'. Binary padding has been leveraged by attackers to make the malware file, which is under 5 MB in size, seem like a 700 MB file. Distribution of the Vidar info-stealer has been discovered by BleepingComputer to involve 'Setup.exe' file's retrieval of the 'Htcnwiij.bmp' file from a Russia-based URL, with the file being a DLL for malware execution. Second stage payloads are being downloaded by the Setup file after communicating with its command-and-control server. Vidar then proceeds to exfiltrate browser data, cryptocurrency wallets, mailing application data, file transfer application details, and Telegram credentials for Windows.