Threat Analysis: FlowerStorm PhaaS MFA Bypass and Vidar Go Infostealer, UK SMB Threat Brief 19th May 2026
Hello, Mauven here.
This is your Daily Threat Analysis for 19th May 2026.
Two items today that warrant your attention. Neither is brand new. Both have just become materially harder to defend against, and both are directly relevant to UK small and medium businesses.
FlowerStorm Adds VM Obfuscation to Its MFA Bypass Kit
FlowerStorm has been operational since at least mid-2024. If you have not encountered the name, you have almost certainly encountered its output, it is one of the more widely deployed phishing-as-a-service platforms, and it has been running large-scale credential harvesting campaigns across the UK and beyond.
What is new, documented today by Sublime Security, is that FlowerStormβs operators have added VM-based obfuscation to their kit, something they are calling KrakVM. The practical effect is that the malicious content embedded in phishing lures is now wrapped inside a virtual machine execution layer. That makes it significantly harder for email security gateways and automated scanning tools to inspect and flag the payload. The lure arrives looking cleaner than it should.
That matters because FlowerStormβs primary capability is adversary-in-the-middle (AiTM) phishing. It does not just steal your username and password. It proxies the authentication session in real time, which means it captures the MFA token as your staff member enters it and replays it immediately to authenticate against the real service. Standard MFA, SMS codes, authenticator app push notifications, time-based one-time passwords, does not stop this. The session token is stolen regardless.
The NCSC has published guidance on AiTM phishing. The fact that PhaaS platforms like FlowerStorm are now actively investing in better obfuscation to reach more victims should tell you that this attack model is working at scale.
For UK SMBs, the specific exposure is this: most small businesses that have implemented MFA have done so using authenticator apps or SMS. That is better than nothing, and it stops a significant volume of commodity attacks. It does not stop FlowerStorm. The only MFA implementations that resist AiTM phishing are phishing-resistant ones, hardware security keys (FIDO2/WebAuthn) or passkeys. If your IT provider has told you that enabling Microsoft Authenticator push notifications means you are protected, ask them specifically about adversary-in-the-middle attacks and session token theft. Watch the answer carefully.
What to do:
- Check whether your Microsoft 365 or Google Workspace tenants have Conditional Access policies that enforce phishing-resistant MFA for administrative accounts at minimum
- If you are using SMS-based MFA anywhere for business-critical systems, move away from it, that has been the NCSCβs recommendation for some time
- Ask your email security provider whether their scanning is effective against VM-obfuscated payloads; if they cannot answer that specifically, escalate
- Train staff to report suspicious login prompts rather than completing them
Vidar Infostealer Returns, Rebuilt in Go With Serious Sandbox Evasion
Vidar has been a fixture of the infostealer landscape since 2018. It is an Arkei descendant, a credential-stealing tool that targets browser-saved passwords, session cookies, cryptocurrency wallet data, and other local credential stores. It has historically been distributed as a .NET or C++ binary and is reasonably well-detected by mature endpoint security products.
A sample pulled from the Triage malware repository on 13th May shows something rather different. Vidar v1.5 has been rewritten in Go, Go 1.25.4 specifically, and the developers have clearly spent time thinking about detection avoidance.
The variant implements a twelve-category sandbox scoring system. Before executing its primary payload, it evaluates the environment across multiple dimensions to determine whether it is running in an analysis sandbox. If the score crosses a threshold, it does not run. That is a meaningful operational problem for organisations and vendors that rely on sandbox-based detection, the malware simply sits inert during analysis and only activates on genuine targets.
In addition, this variant uses dead-drop command and control infrastructure via Telegram and Steam profile pages. Rather than making direct network connections to attacker-controlled domains, which network monitoring can detect, it reads configuration and instruction data from content posted to legitimate platforms. Your firewall will not block Telegram or Steam. That is the point.
The Go rewrite also means that existing endpoint detection signatures tuned to the .NET or C++ versions of Vidar may not catch this variant. Whether your endpoint security vendor has updated detections specifically for Vidar v1.5 in Go is worth verifying. Do not assume.
For UK SMBs, the delivery vector is typically the same as it has always been for infostealers: malicious email attachments, trojanised software downloads, and increasingly, malvertising. Staff downloading software from unofficial sources, or opening attachments from unfamiliar senders, remain the primary exposure. The credential data Vidar harvests, browser-stored passwords, session cookies, saved payment card data, is used directly or sold on to ransomware groups for initial access.
What to do:
- Verify with your endpoint security provider that their product has updated signatures covering Go-compiled malware variants, specifically Vidar v1.5
- Review whether browser-saved passwords are in use across your organisation; consider deploying a business password manager with centralised management instead
- Enforce policies against downloading software from unofficial sources; if staff need a tool, there should be a procurement process
- Check whether your email security blocks executables and script files in attachments, this should be standard but is frequently misconfigured
The Wider Context: Commoditisation of Capability
It is worth stepping back and noting what both of these developments represent. FlowerStorm is a service. Someone pays a subscription fee and gains access to a phishing kit that bypasses MFA at scale, with new obfuscation to evade detection. Vidar v1.5 is almost certainly sold similarly, infostealer operators do not typically write their own tools from scratch; they buy or lease them.
The sophistication that was previously the domain of nation-state actors has been productised and is now available to any criminal organisation with a modest budget. The organisations defending against these tools are, in many cases, small businesses with one part-time IT contact and no dedicated security function.
That asymmetry is not new. But it is widening, and it is why the basics, phishing-resistant MFA, patched endpoints, staff awareness, not storing passwords in browsers, remain the highest-return investment a small business can make in its security posture.
On a related note: Cisco Talos today also published research on a BadIIS variant operating as commodity malware-as-a-service among Chinese-speaking cybercrime groups, and Darktrace documented continued activity from a Chinese APT using an updated FDMTP backdoor distributed via DLL sideloading. These are primarily relevant to organisations running IIS web servers and to supply chain exposure via managed service providers. If your MSP manages Windows Server infrastructure, the BadIIS research is worth flagging to them directly.
Sources
| Source | Publication | URL |
|---|---|---|
| Sublime Security | FlowerStorm unleashes the KrakVM: PhaaS operators turn to VM-based obfuscation | https://sublime.security/blog/flowerstorm-unleashes-the-krakvm-phaas-operators-turn-to-vm-based-obfuscation/ |
| derp.ca Research | Vidar v1.5 in Go: same family, new language, heavy sandbox checks | https://www.derp.ca/research/vidar-go-sandbox-dead-drop/ |
| Cisco Talos | From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem | https://blog.talosintelligence.com/from-pdb-strings-to-maas-tracking-a-commodity-badiis-ecosystem/ |
| Darktrace | Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor | https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor |
| Cato Networks CTRL | Suspected China-Linked Threat Actor Targets Global Manufacturer with Undocumented TencShell Malware | https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/ |