Vidar, a credential-stealing malware that has been active since 2018, has recently ascended to the top of the infostealer market. This rise follows the takedown of its two major competitors, Lumma and Rhadamanthys, by law enforcement last year. Vidar's author capitalized on this disruption by releasing a significant upgrade and expanding its distribution network, making it a favored choice among cybercriminals, according to a report by Intrinsec.
The report from Intrinsec highlights Vidar's dominance on the Russian Market, a prominent cybercrime marketplace, since late 2025. The malware has become a go-to tool for various threat actors, including high-profile groups like Scattered Spider. Vidar's broad-spectrum capabilities allow it to harvest a wide range of sensitive data, such as passwords, cookies, and session tokens from major web browsers, as well as cryptocurrency wallet information. This data is often sold on underground marketplaces, enabling further malicious activities like account takeovers and ransomware deployment.
Vidar’s distribution methods are diverse, with attackers employing phishing emails, social engineering tactics on platforms like YouTube, and Trojanized software packages to spread the malware. A notable strategy involves collaboration with ‘Cloud’ channels on Telegram, where cybercriminals share stolen credential logs. These channels, with names like Kata Cloud and Omega Cloud, have significantly contributed to Vidar’s popularity by advertising its capabilities to potential clients.
The malware’s infrastructure is designed to withstand takedown attempts. Vidar uses ‘dead drop resolvers’ to conceal its command-and-control (C2) systems, embedding C2 addresses within legitimate public platforms like Telegram. This method allows the malware to dynamically retrieve C2 details, making it difficult for defenders to detect and block its communications.
To defend against Vidar, Intrinsec recommends several measures. Organizations should enable multifactor authentication for accounts related to web browsers to reduce the risk of credential theft. Additionally, deploying DNS filtering and secure web gateways can help block access to known malicious domains and IP addresses. Using sandbox solutions to analyze email attachments and URLs can further enhance protection against this pervasive threat.
Source: https://www.darkreading.com/vulnerabilities-threats/vidar-top-chaotic-infostealer-market