Modifications to backend IP infrastructure have been recently conducted by Vidar malware operators to further conceal malicious activity, The Hacker News reports.
While Vidar's my-odin[.]com domain continued to be available for panel management, affiliate authentication, and file-sharing activities, operators have since prevented file downloads without prior authentication, as well as transferred the domain to a new IP address by the end of March, with the replacement IP accessed through VPN servers, a report from Team Cymru revealed.
"By using VPN infrastructure, which in at least part was also utilized by numerous other benign users, it is apparent that the Vidar threat actors may be taking steps to anonymize their management activities by hiding in general Internet noise," said Team Cymru. However, Vidar operators were observed to have switched to a new IP address for the domain by early May, with accounts and malware repositories accessed via TOR relays, researchers added.