Vidar Stealer 2.0 Rewritten in C with Multithreaded Architecture, Targets Chrome AppBound Encryption
Vidar Stealer 2.0, a complete rewrite in C with multithreaded data theft, bypasses Chrome's AppBound encryption and shows a sharp spike in campaigns since its October 2025 release.
On October 6, 2025, the developer known as 'Loadbaks' announced Vidar Stealer 2.0 on underground forums, marking a complete architectural overhaul of the long-running infostealer. According to Trend Micro Research, the new version is entirely rewritten in C, abandoning the previous C++ codebase to achieve greater stability and speed. The release coincides with a decline in Lumma Stealer activity, driving a surge in adoption and campaign activity as cybercriminals seek alternatives.
Vidar 2.0 introduces a multithreaded architecture that dynamically adjusts thread counts based on the victim's CPU core count and available physical memory. This allows the malware to steal data from multiple sources—browsers, cryptocurrency wallets, files, and applications—in parallel, significantly reducing the time it remains active on the system. The parallel processing makes detection harder for security software and speeds up exfiltration.
A key technical advancement is Vidar 2.0's ability to bypass Chrome's AppBound encryption, a security feature designed to prevent unauthorized credential extraction. The malware achieves this through direct memory injection, using methods the developer claims are 'not found in the public domain.' This enables the stealer to extract credentials from Chrome and other Chromium-based browsers that previously resisted such attacks.
Vidar 2.0 systematically targets a broad scope of data, including credentials from browsers, cloud services, cryptocurrency wallets, gaming platforms, and communication apps such as Discord and Telegram. The malware also steals files and two-factor authentication tokens, maintaining the comprehensive data theft capabilities that have made Vidar a staple in the cybercrime ecosystem since its 2018 origins.
Priced at a consistent $300 for a lifetime license, Vidar 2.0 offers attackers a cost-effective tool with advanced anti-analysis measures. Trend Micro observed a major spike in Vidar activity from September to October 10, 2025, following the version 2.0 announcement, indicating rapid adoption by threat actors. The malware's evolution positions it to fill the gap left by Lumma Stealer's decline, as cybercriminals migrate to reliable alternatives.
The update represents a significant technical evolution for Vidar, which originally leveraged the Arkei stealer source code. Over the years, it maintained a loyal user base through ongoing updates and support for new browsers, wallets, and applications. With version 2.0, Vidar aims to remain effective in a shifting threat landscape, offering enhanced evasion and performance that could make it a dominant infostealer in 2025 and beyond.