2025’s law enforcement wave dismantled two of the most potent infostealers on the market—Lumma and Rhadamanthys. By April 2026, their absence has created a vacuum. And Vidar has rushed in to claim the top spot.
Key Takeaways
- Vidar now dominates the infostealer market, filling the gap left by the 2025 takedowns of Lumma and Rhadamanthys
- Threat actors are increasingly targeting credentials, browser data, and cryptocurrency wallets through modular payloads
- Dark web pricing for Vidar has dropped by nearly 30%, making it more accessible to lower-tier attackers
- Its open-source variants have spread rapidly across underground forums, accelerating adoption
- Defensive detection rates remain below 60% on most EDR platforms, per telemetry from Q1 2026
Vidar’s Ascent Wasn’t Accidental
When LummaStealer went dark in July 2025—following coordinated arrests across six countries—its affiliates scrambled. Some rebuilt infrastructure. Others folded. A few migrated to alternatives. But no replacement offered the same balance of stealth, configurability, and ease of use. Rhadamanthys, taken down two months later, suffered a similar fate. Its operators were reportedly based in Eastern Europe, and its command-and-control servers were seized in a joint Europol-Interpol effort.
That’s when Vidar began its climb.
Unlike its predecessors, Vidar wasn’t built for longevity. It was built for adaptability. Its codebase—available in both private and open-source versions—allows attackers to swap out modules like browser harvesters, clipboard sniffers, and cryptocurrency wallet extractors. Need to avoid detection in a specific region? Swap the C2 profile. Target only financial institutions? Enable the banking module. That modularity didn’t just help it survive. It helped it thrive.
And thrive it has. According to telemetry compiled in the original report, Vidar-related command-and-control traffic increased by 217% between October 2025 and March 2026. That spike wasn’t evenly distributed. It clustered around sectors with weak endpoint detection: midsize e-commerce firms, fintech startups, and managed service providers.
The Underground Economy Rewired
One of the most telling shifts isn’t technical. It’s economic.
Vidar’s base price on dark web marketplaces has fallen from $350 to $250 in the past nine months. That drop wasn’t driven by inflation or oversupply alone. It came from competition—and commoditization.
Several open-source forks of Vidar now circulate under names like Vidar 2.0, NeoVidar, and xVidar. These aren’t just clones. They’re iterations. Some strip out anti-analysis tricks to run faster. Others rebuild the exfiltration protocol to bypass newer EDR heuristic rules. The result? A thriving black-market ecosystem where malware evolves not through centralized development, but through decentralized forking.
How the Forks Changed the Game
Open-source malware isn’t new. But it’s usually used for proof-of-concept attacks or academic research. Vidar’s forks are different. They’re operationally deployed.
One variant, tracked as xVidar-F, emerged in December 2025. It disables PowerShell logging by default and uses DNS tunneling for C2—techniques previously seen only in nation-state tools. Another, NeoVidar-S, began targeting Linux-based development environments in February 2026, scraping SSH keys and Git credentials.
These aren’t fringe experiments. They’re being used in active campaigns. And they’re spreading faster than defenders can patch.
The Cost of Accessibility
Lower prices and open code mean more actors can play. That includes inexperienced ones. And that’s creating a new kind of noise—one that’s harder to filter.
In Q1 2026, incident responders at three U.S.-based MSPs reported a surge in low-volume, high-frequency credential theft incidents. The payloads were small. The C2 domains changed daily. The exfiltration methods varied. But the artifacts—browser profiles, autofill data, session cookies—were identical to those harvested by Vidar modules.
One responder, analyzing a compromised developer workstation, told Dark Reading: “It wasn’t a sophisticated attack. No zero-days. No lateral movement. But it got everything. All the AWS tokens, GitHub PATs, Slack cookies—gone in under two minutes.” That access led to a full production environment breach at a fintech client.
Detection Gaps Are Real—and Exploited
Most endpoint detection and response (EDR) tools rely on behavioral signatures and memory analysis to catch infostealers. But Vidar’s latest variants are designed to slip through.
- They execute in-memory using reflective DLL loading
- They encrypt configuration data to evade static analysis
- They delay execution until user activity begins, avoiding sandbox detection
- They disable Windows Defender via command-line calls on entry
The result? According to aggregated data from five EDR vendors, fewer than 60% of Vidar samples were detected at first encounter in Q1 2026. Signature-based tools fared worse—many still flag only the original 2018 Vidar variant, not its modern derivatives.
“We’re fighting a version of the malware that doesn’t exist anymore,” said a senior threat hunter at a cybersecurity firm that requested anonymity. “The rules we built two years ago? Useless. The YARA signatures? Outdated. We’re chasing ghosts while the real thing walks right in.”
Why This Isn’t Just Another Malware Story
Infostealers have been around for decades. But what’s happening with Vidar is different. It’s not just another tool in the attacker’s kit. It’s a signal of structural change in the cybercrime economy.
When Lumma and Rhadamanthys fell, many assumed the infostealer market would shrink. It didn’t. It adapted. Faster. Cheaper. More distributed.
That’s concerning. Because it means law enforcement takedowns—while necessary—may no longer be sufficient. Taking down a single operation doesn’t disrupt the ecosystem if the code, the tactics, and the distribution channels survive in fragmented, open forms.
Vidar’s rise exposes a flaw in our defensive logic: we still treat malware like a product. But in the underground, it’s becoming a platform.
The Bigger Picture: Cybercrime as Open-Source Ecosystems
The shift from closed, proprietary malware to open, modifiable platforms mirrors trends seen in legitimate software development—but with dangerous consequences. Just as GitHub hosts thousands of public repositories where developers collaborate, cybercriminal forums like XSS, Dread, and CryptBB now host public repositories of malware code. Vidar’s open-source variants are forked, patched, and redeployed in a cycle that resembles agile development sprints.
This model accelerates innovation. A single improvement—like evading a new EDR heuristic—can be integrated into dozens of forks within days. Researchers at Recorded Future observed that one patch disabling AMSI (Antimalware Scan Interface) checks was reused in at least 14 different Vidar derivatives by January 2026. That kind of reuse wasn’t common in earlier malware families, where operators guarded code closely.
Compare this to RedLine Stealer, another infostealer that saw a brief resurgence after Lumma’s takedown. RedLine relies on a centralized builder hosted on Telegram channels. Updates are infrequent. Customization is limited. Its market share peaked at 18% in late 2025 but has since dropped to 9% as attackers shift to more flexible options.
Even ransomware developers are watching. The Conti-affiliated group known as HIVE has explored integrating Vidar-like credential harvesting modules into their initial access toolkit. That’s not just evolution. It’s convergence—where infostealers become the first phase of broader attacks.
Industry Response and the Limits of Current Defenses
Security vendors are reacting, but slowly. CrowdStrike updated its Falcon platform in February 2026 to include behavioral models targeting reflective DLL loading and C2 beaconing patterns tied to Vidar. Microsoft Defender for Endpoint introduced memory scanning improvements in its January 2026 update, focusing on encrypted configuration blobs. But these changes are reactive.
Meanwhile, attackers test their payloads against commercial EDR products using services like AnyRun and ANY.RUN. A post on the Russian-language forum Exploit.in from November 2025 detailed how to use free sandbox trials to verify evasion before deployment. This practice, known as “sandbox fuzzing,” is now standard among mid-tier operators.
Some companies are shifting focus from detection to containment. Okta has expanded its Advanced Identity Protection rules to flag anomalous session cookie usage, particularly from unusual geolocations or devices. Cloudflare’s Zero Trust platform now logs and inspects all outbound DNS queries for tunneling patterns—catching variants like xVidar-F in real time. But these measures require configuration and monitoring. Many organizations, especially smaller ones, lack the staff or expertise to implement them effectively.
The challenge isn’t just technical. It’s economic. Defensive tools are expensive. EDR licenses can cost $50–$100 per endpoint annually. For a 500-seat company, that’s $25,000–$50,000 a year. Meanwhile, attackers pay $250 for access to tools that can compromise those same endpoints at scale. The asymmetry favors offense.
What This Means For You
If you’re a developer, your credentials are a primary target. Vidar doesn’t need to breach your CI/CD pipeline directly. It just needs your browser. If you’re logged into GitHub, AWS, or Bitbucket from a compromised machine, that’s enough. Your session cookie is exfiltrated. Your access is cloned. And you won’t see the breach until the damage is done.
For builders, this means zero trust isn’t optional. It’s table stakes. Enforce strict MFA policies—even for internal tools. Rotate API keys automatically. Use ephemeral credentials. Assume any endpoint could be running undetected malware. Because now, more than ever, it probably is.
Malware doesn’t need to be novel to be dangerous. It just needs to be widespread, adaptive, and just stealthy enough to last. Vidar checks all three boxes. And it’s not going anywhere.
Sources: Dark Reading, BleepingComputer, Recorded Future, CrowdStrike 2026 Threat Report, Microsoft Security Intelligence Report January 2026, Okta Threat Research
