Vidar Stealer 2.0 has been released, and the updated infostealer claims to offer improved performance with advanced credential stealing and evasion abilities, features that will necessitate even greater vigilance on the part of security teams. Vidar is already one of the top infostealers, and the recent decline of Lumma will likely make the infostealer even more active in the coming months.

Vidar Stealer 2.0: Rewritten for More Efficient Credential Theft

A Vidar developer who goes by "Loadbaks" announced the release of Vidar Stealer 2.0 on underground forums earlier this month. Loadbaks claimed that rewriting the software in C “gave a huge increase in stability and speed" by eliminating C++ dependencies and runtime overhead. In a new technical analysis of the malware, Trend Micro Threats Analyst Junestherry Dela Cruz said the new version is built on “a complete transition from C++ to a pure C implementation” for greater performance and efficiency. Vidar 2.0 introduces “a range of concerning features, including advanced anti-analysis measures, multithreaded data theft capabilities, and sophisticated methods for extracting browser credentials,” Dela Cruz said. “With a consistent price point of US$300, it offers attackers powerful tools that are both cost-effective and efficient.” Throughout its seven-year history, Vidar has distanced itself from competitors like Raccoon and RedLine by adding support for new features and earning a reputation for reliable support, the threat researcher said. The latest version adds even more distance between Vidar and competitors.

Multithreaded Architecture Means Faster Theft, Less Detection Time

The malware’s multithreaded architecture allows for more efficient use of multi-core processors. The Vidar developer claims that performing data collection tasks in parallel threads greatly speeds up data collection and exfiltration. Dela Cruz said Trend’s analysis shows that the malware employs “an advanced multi-threading system that automatically adjusts its performance based on the victim's computer specifications. It scales its operations by creating more worker threads on powerful systems and fewer threads on weaker machines, ensuring optimal performance without overwhelming the target system. This approach allows the malware to steal data from multiple sources simultaneously - such as browsers, cryptocurrency wallets, and files - rather than processing them one at a time.” In addition to stealing from multiple sources simultaneously, the parallel processing feature also reduces the time the malware needs to remain active on the system, “making it harder for security software to detect and stop the theft operation,” Dela Cruz said.

Vidar 2.0 Claims to Bypass Chrome AppBound Security

Loadbaks, the Vidar developer, also claimed that Vidar 2.0 has “unique” methods for bypassing Chrome's AppBound encryption that prevents credential extraction by binding encryption keys to specific applications. Dela Cruz said binary analysis shows that Vidar 2.0 “implements comprehensive browser credential extraction capabilities targeting both traditional browser storage methods and Chrome's latest security protections across multiple browser platforms.” The malware uses a tiered approach that includes “systematic enumeration of browser profiles” and attempts to extract encryption keys from Local State files using standard DPAPI decryption, the researcher said. Vidar 2.0 can also launch browsers with debugging enabled and inject malicious code into running browser processes via shellcode or reflective DLL injection. “The injected payload extracts encryption keys directly from browser memory, then communicates the stolen keys back to the main malware process via named pipes to avoid disk artifacts,” Dela Cruz wrote. “This approach can bypass Chrome's AppBound encryption protections by stealing keys from active memory rather than attempting to decrypt them from storage.”

Polymorphic Builder Boosts Evasion Techniques

Vidar 2.0 also claims to include an automatic polymorphic builder “so every build is now unique," Loadbaks said, with distinct binary signatures that make static detection more difficult. Dela Cruz said the updated malware “employs heavy use of control flow flattening, implementing complex switch-case structures with numeric state machines that can make reverse engineering more difficult. This obfuscation method transforms the natural program flow into a series of state transitions controlled by switch statements, effectively obscuring the original program logic.” The researcher said the control flow flattening technique has also been seen in Lumma samples, “suggesting the adoption of similar obfuscation frameworks within the information stealer ecosystem.” “The malware's technical capabilities, proven developer track record since 2018, and competitive pricing position it as a likely successor to Lumma Stealer's dominant market position,” Dela Cruz concluded.

The prolific threat actors behind the Lumma Stealer malware have been slowed by an underground doxxing campaign in recent months. Coordinated law enforcement action earlier this year didn’t do much to slow down the infostealer’s spread, but a recent doxxing campaign appears to have had an impact, according to researchers at Trend Micro. “In September 2025, we noted a striking decline in new command and control infrastructure activity associated with Lummastealer ... as well as a significant reduction in the number of endpoints targeted by this notorious malware,” threat analyst Junestherry Dela Cruz wrote in a recent post. Fueling the drop has been an underground exposure campaign targeting a key administrator, developer and other members of the group, which Trend tracks as “Water Kurita.”

Lumma Stealer Doxxing Campaign Began in August

The Lumma Stealer doxxing campaign began in late August and continued into October, and on September 17, Lumma Stealer’s Telegram accounts were also compromised. “Allegedly driven by competitors, this campaign has unveiled personal and operational details of several supposed core members, leading to significant changes in Lummastealer’s infrastructure and communications,” Dela Cruz wrote. “This development is pivotal, marking a substantial shake-up in one of the most prominent information stealer malware operations of the year. ... The exposure of operator identities and infrastructure details, regardless of their accuracy, could have lasting repercussions on Lummastealer’s viability, customer trust, and the broader underground ecosystem.” The disclosures included highly sensitive details of five alleged Lumma Stealer operators, such as passport numbers, bank account information, email addresses, and links to online and social media profiles, and were leaked on a website called "Lumma Rats." While the campaign may have come from a rival, Dela Cruz said “the campaign’s consistency and depth suggest insider knowledge or access to compromised accounts and databases.” “The exposure campaign was accompanied by threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over the operational security of their clients,” Dela Cruz wrote. While the researcher noted that the accuracy of the doxed information hasn’t been verified, the accompanying decline in Lumma Stealer activity suggests that the group “has been severely affected—whether through loss of key personnel, erosion of trust, or fear of further exposure.”

Vidar, StealC Gain from Lumma Stealer’s Decline

Lumma Stealer’s decline has been a boon for rival infostealers like Vidar and StealC, Dela Cruz noted, “with many users reporting migrations to these platforms due to Lumma Stealer’s instability and loss of support.” Lumma’s decline has also hit pay-per-install (PPI) services like Amadey that are widely used to deliver infostealer payloads, and rival malware developers have stepped up their marketing efforts, “fueling rapid innovation and intensifying competition among MaaS [Malware as a Service] providers, raising the likelihood of new, stealthier infostealer variants entering the market,” Dela Cruz said. According to Cyble dark web data, Vidar and Redline are the infostealers most rivaling Lumma in volume on dark web marketplaces selling stolen credentials, with StealC, Acreed, Risepro, Rhadamanthys and Metastealer among other stealer logs commonly seen on the dark web. As for Lumma Stealer, Dela Cruz noted that being a top cybercrime group isn’t exactly a secure - pardon the pun - position to be in, as RansomHub found out earlier this year. “[B]eing number one means facing scrutiny and attacks from both defenders and competitors alike,” the researcher noted.