Dateline: April 29, 2026
The $300 Malware Now Powering the Cybercrime Underground
The infostealer underground just crowned a new king. The Vidar infostealer, a malware family that has been quietly stealing passwords since 2018, now sits at the top of the credential theft market. After two major law enforcement takedowns wiped out its biggest rivals, Vidar 2.0 walked into the vacuum and stayed there.
What Happened?
Two takedowns reshaped the market. In May 2025, authorities seized roughly 2,500 domains tied to Lumma Stealer, then doxxed its operators between August and October. Rhadamanthys went down in November 2025. By January 2026, Vidar 2.0 was the most widely used infostealer among threat actors, according to Flashpoint’s 2026 Global Threat Intelligence Report.
The timing was no accident. On October 6, 2025, a developer known as “Loadbaks” dropped Vidar 2.0 on underground forums. The new build is a complete rewrite from C++ to pure C, with multithreaded data theft, polymorphic samples that shift signature every build, and a fresh trick to bypass Chrome’s AppBound encryption by injecting code into running browser processes. All for a $300 lifetime license.
Recent campaigns get sneakier still. Researchers at Point Wild found Vidar payloads hidden inside JPEG and TXT files using steganography, then loaded straight into memory through .NET reflective loading. Distribution channels include fake CAPTCHA pages on hacked WordPress sites, malicious MSI installers, and trojanized GitHub repos posing as leaked developer tools (one recent lure even mimicked a Claude Code source leak).
The Impact
The numbers paint the scale. In 2025, infostealers infected 11.1 million machines and fueled a stockpile of 3.3 billion stolen credentials and cloud tokens, per Flashpoint’s 2026 GTIR. That pipeline feeds ransomware directly. The Verizon 2025 DBIR found 54% of ransomware victims had their domain credentials sitting in stealer marketplaces before the attack hit. In some cases, the window between a leaked password and a full ransomware deployment is under 48 hours.
For SOC teams, the math has shifted. Most attackers do not have to break anything. They log in with valid credentials and live session cookies that sail past standard MFA checks. The Vidar infostealer 2.0 reportedly targets more than 200 browser extensions in a single sweep, hoovering up cookies, autofill data, crypto wallets, Discord tokens, and cloud service logins.
How to Avoid This
Defending against the Vidar infostealer means closing the credential exposure loop. Chasing alerts alone will not cut it. A few practical moves:
- Hunt for stealer logs that mention your domain in underground markets before attackers do.
- Move high value accounts to FIDO2 passkeys, since session cookies bypass standard MFA.
- Block execution of unsigned MSI and HTA files from user folders. Both are favorite Vidar delivery routes.
- Monitor for abuse of trusted Windows binaries like WScript, PowerShell, and RegAsm.exe.
- Rotate browser session cookies often, and warn employees off fake CAPTCHA prompts and pirated software downloads.
At Secure.com, our Digital Security Teammates were built for exactly this kind of fast moving threat. They correlate exposure signals, triage stealer log hits, and propose reversible containment actions while a human stays in the loop. When the gap from credential theft to ransomware is two days, defenders cannot afford to wait for office hours.
The Vidar infostealer story is really a story about leverage. Criminals built theirs through automation and resale markets. Defenders need to do the same.
