The Reveal Platform
Intel Name: Vidar malware distributed through website impersonating disney plus
Date of Scan: July 25, 2025
Impact: High
Summary: Our team uncovered a malicious website impersonating Disney+, used to deliver the Vidar infostealer malware. The site posed as an influencer collaboration portal, luring users into executing malware hosted on a WebDAV server. Clicking the “View Full Brief” button triggered a multi-stage infection chain involving Windows shortcuts, PowerShell, MSHTA, VBS, and obfuscated JavaScript. A decoy PDF was displayed while the malware executed silently in the background. This campaign dates back to at least July 5, 2025. While many URLs are now inactive, the domain disneyplus[.]business remains live and may be used in future attacks.
