An established information stealer (infostealer) has recently been upgraded with enhanced capabilities and filled a vacuum left by the decline of the once-dominant Lumma Stealer.
According to a Trend Micro report published on October 21, a new version of the Vidar infostealer has emerged, with a new multithreaded architecture for faster, more efficient data exfiltration and improved evasion capabilities.
The upgrade, dubbed Vidar 2.0, was first announced by a developer known as “Loadbaks” on underground forums on October 6.
Its release coincides with a decline in activity surrounding Lumma Stealer, which had been the dominant infostealer strain for months before a law enforcement operation disrupted a big part of Lumma’s infrastructure in 2024 and a doxxing campaign targeted its developers between August and October 2025.
These subsequent events lead to a decline in Lumma’s activity.
Introducing Vidar 2.0
Vidar first emerged in 2018 on Russian-language underground forums, initially leveraging the Arkei stealer source code.
Vidar quickly gained traction due to its reliable support and comprehensive ability to steal browser credentials and cryptocurrency wallets. Its price tag of $300 for lifetime use was also attractive.
“Over the years, Vidar set itself apart from competitors like Raccoon and RedLine by consistently adding support for new browsers, wallets and two-factor authentication (2FA) applications, maintaining a loyal user base through ongoing updates and reliable developer support,” the Trend Micro researchers wrote.
Vidar recently established itself as one of the main competitors to become the market leader after the decline of Lumma.
In the first major upgrade since its inception, Vidar 2.0 comes with four significant changes:
- Complete C language rewrite: the development team rewrote the entire software from C++ to C, which allowed “a huge increase in stability and speed,” said Trend Micro
- Multithreaded data theft capabilities, promising faster data collection and exfiltration through parallel processing capabilities that can leverage modern multi-core processor architectures
- New custom-made browser credential extraction and AppBound bypass techniques: this latter capability specifically targets Chrome’s enhanced security measures introduced in recent versions, claiming to bypass application-bound encryption that was designed to prevent unauthorized credential extraction by binding encryption keys to specific applications
- Automatic polymorphic builder, a feature designed to generate samples with distinct binary signatures, making static detection methods more difficult
“As Lumma Stealer activity continues to decline and underground actors migrate to Vidar and StealC alternatives, security teams should anticipate increased Vidar 2.0 prevalence in campaigns through Q4 2025,” the Trend Micro researchers warned.
