Vidar Rises to Top of Chaotic Infostealer Market

The infostealer landscape has been reshaped by coordinated law‑enforcement actions that dismantled Lumma and Rhadamanthys in 2025. Those disruptions created a vacuum that Vidar quickly filled, leveraging a substantial code upgrade and a broader affiliate network. Intrinsec’s 43‑page analysis shows Vidar’s market share climbing steadily on the Russian Market, a key underground hub where stolen credentials are bought and sold. This shift underscores how rapid adaptation can propel a legacy threat into a dominant position when competitors are removed.

Beyond sheer volume, Vidar’s technical breadth makes it a prized tool for cybercriminals. The malware extracts saved passwords, browser cookies, autofill data, and session tokens from virtually every major browser, while also targeting cryptocurrency wallet extensions and capturing screenshots of the victim’s desktop. By aggregating such rich data, threat actors can monetize credentials on underground forums, use them for account takeover, lateral movement, or as a foothold for ransomware campaigns. The speed at which stolen information is turned into profit amplifies the operational risk for enterprises worldwide.

Vidar’s distribution model reflects the evolving tactics of the cybercrime economy. Attackers deliver the payload through phishing attachments, fake game cheat downloads, trojanized npm packages, and increasingly through Telegram “cloud” channels that advertise the stealer to a ready‑made client base. Its command‑and‑control infrastructure employs dead‑drop resolvers, embedding C2 pointers in public Telegram profiles to evade static blocking. Defenders should prioritize multi‑factor authentication, enforce DNS filtering, and deploy sandbox analysis for email attachments and URLs. By disrupting both the delivery chain and the credential‑monetization pipeline, organizations can blunt Vidar’s impact and reduce the likelihood of subsequent ransomware incidents.