Threat actors have created a fake version of the Pixelmon non-fungible token website under pixelmon[.]pw, which then spreads that Vidar malware with cryptocurrency wallet-exfiltrating capabilities, according to BleepingComputer.
MalwareHunterTeam discovered that while the fake Pixelmon site features an Installer.zip file with a corrupt executable, other files distributed by the website were found to distribute malware.
The setup.zip file distributed by the malicious site was found to have the setup.lnk file, which then triggers the download of a system32.hta file that downloads the password-stealing Vidar malware. Execution of the file will prompt the Vidar sample to link with a Telegram channel and facilitate IP address retrieval from the command and control server.
More modules will then be downloaded from the C2 for data exfiltration, with Vidar having the capability not only to steal browser and application passwords but also to conduct file searches throughout a computer, which would then allow it to steal cryptocurrency wallets, codes, authentication files, text files, backups, and password files.