Vidar Infostealer Surges to Top of Cybercriminal Market After Rival Takedowns
Law enforcement disruptions of Lumma and Rhadamanthys have propelled the Vidar has vaulted to become the most-used infostealer on Russian Market, driven by a major upgrade and expanded distribution network.
The credential-stealing malware Vidar, active since 2018, has risen to the top of the infostealer market following law enforcement takedowns of its two biggest rivals in 2025. According to new research from French cybersecurity firm Intrinsec, Vidar is now the most-used infostealer on the Russian Market cybercrime marketplace since November 2026crime marketplace since November 2025, displacing both Lumma and Rhadamanthys after those operations were disrupted in May and November 2025, respectively.
"Chaos is a ladder and Vidar successfully profited of the instability resulting from the takedowns of Lumma and Rhadamanthys, to rise to the top of the infostealer ecosystem," Intrinsec said in a 43-page report. The shift is significant because Vidar is a high-volume, broad-spectrum credential harvester that has been used by high-profile threat groups, including Scattered Spider, increasing the risk to corporate networks.
Vidar targets a wide array of sensitive data, including saved passwords, cookies, autofill data, and session tokens from major browsers such as Chrome, Firefox, Edge, Opera, Vivaldi, Waterfox, and Palemoon. It also focuses on cryptocurrency wallets, capturing screenshots, harvesting email client data, and exfiltrating local files to give attackers a comprehensive picture of a victim environment. Stolen credentials are quickly monetized on underground marketplaces like Russian Market, where adversaries use them for account takeover, lateral movement, lateral movement, ransomware deployment, and privilege escalation.
Attackers distribute Vidar through multiple methods, including phishing attachments disguised as legitimate software installers from file-sharing platforms, and social engineering lures on YouTube that redirect users to malicious downloads. Other researchers have documented ClickFix campaigns, Trojanized npm packages, and fake game cheats as delivery vectors. A key contributor to Vidar's growth has been its operators' collaboration with Telegram "Cloud" channels—public or semi-public channels where cybercriminals freely share stolen credential logs. Channels like Kata Cloud, Poltergeist Cloud, Cron Cloud, and Omega Cloud have helped advertise Vidar and attract more clients.
Vidar's infrastructure is designed to survive takedown attempts. The malware uses "dead drop resolvers," a technique where it does not directly include its command-and-control (C2) address. Instead, it contains URLs pointing to legitimate public platforms such as Telegram, where attackers embed the actual C2 address in a profile description or post. When Vidar lands on a victim system, it reaches out to these URLs to retrieve the real C2 details dynamically, evading static detection and blocking.
Intrinsec recommends enabling multifactor authentication for browser-related accounts to mitigate credential theft, deploying DNS filtering and secure web gateways to block known malicious domains and IP addresses, and using sandbox solutions to analyze email attachments and URLs. The firm warns that due to the high volume of samples and indiscriminate campaigns targeting users worldwide, organizations should expect continued compromise attempts against corporate networks using this malware.