Vidar Rises to Top of Chaotic Infostealer Market TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsCyber RiskThreat IntelligenceСloud SecurityNewsVidar Rises to Top of Chaotic Infostealer MarketThe malware has filled the gap created by last year's law enforcement takedowns of Lumma and Rhadamanthys.Jai Vijayan,Contributing WriterApril 28, 20263 Min ReadSource: Bits And Splits via ShutterstockCredential-stealing malware Vidar, which has lurked in the cybercriminal ecosystem since 2018, has vaulted to the top of the infostealer market following law enforcement takedowns of its two biggest rivals last year.That shift was fueled by the malware author's calculated release of a major upgrade and expansion of Vidar's distribution network during the disruption, which positioned it as a go-to alternative for cybercriminals, according to new research from Intrinsec.Rising to the TopIn a 43-page report, Intrinsec described Vidar as the most used infostealer on Russian Market, a cybercrime marketplace, since November 2025. It has displaced both Lumma and Rhadamanthys after law enforcement disrupted those previously top ranked infostealer operations in May 2025 and November 2025, respectively.The shift is significant because Vidar is a high-volume, broad-spectrum credential harvester that some high-profile threat groups, including Scattered Spider, have used in their campaigns. The growing client base means more threat actors are now deploying the malware against corporate networks. Related:Cyber Espionage Group Targets Aviation Firms to Steal Map Data"Chaos is a ladder and Vidar successfully profited of the instability resulting from the takedowns of Lumma and Rhadamanthys, to rise to the top of the infostealer ecosystem," the French cybersecurity firm said in its report. "Due to the high volume of sample[s] and indiscriminate campaigns targeting users worldwide, we can expect to continue seeing several compromise attempts against corporate networks using this malware."Like most prolific infostealers, Vidar targets a wide array of sensitive data that threat actors can use in future attacks against organizations. The malware pulls saved passwords, cookies, autofill data, and session tokens from major browsers including Chrome, Firefox, Edge, Opera, Vivaldi, Waterfox, and Palemoon.  Cryptocurrency wallets are another focus, with Vidar's operators hosting a curated list of cryptocurrency wallet browser extension IDs on their own infrastructure. The malware can also capture screenshots, harvest email client data, and exfiltrate local files to give attackers a comprehensive picture of a victim environment. Stolen credentials, according to Intrinsec, are quickly monetized on underground marketplaces like Russian Market. Adversaries typically have used such credentials to take over accounts, move laterally inside a network, deploy ransomware, escalate privileges, and execute other malicious actions under the guise of a legitimate user or service. Related:Why Security Leadership Makes or Breaks a Pen TestDistribution TacticsAttackers are using a variety of methods to distribute Vidar. The most common tactics include phishing attachments disguised as legitimate software installers from file-sharing platforms, and social engineering lures on YouTube that redirect users through popular file-sharing services to malicious downloads. Other researchers have documented attackers using ClickFix campaigns, Trojanized npm packages, and fake game cheats to deliver Vidar.One significant contributor to Vidar's recent growth, according to Intrinsec, has been the decision by its operators to collaborate with so-called "Cloud" channels on Telegram, which are public or semi-public channels where cybercriminals freely share stolen credential logs. These channels, going by names like Kata Cloud, Poltergeist Cloud, Cron Cloud and Omega Cloud, have helped advertise Vidar and attract more clients to the malware, Intrinsec said."Telegram 'cloud' channels fuels the ecosystem of stolen logs and help advertise the stealers behind the stolen data," the security vendor said. "Subscribers to these channels may notice that more channels are now using Vidar and therefore think that this is a useful program to steal data."Vidar's infrastructure is designed to survive takedown attempts. One mechanism that Vidar's operators have used to try and hide its command-and-communications (C2) systems is "dead drop resolvers," which is a technique where the malware doesn't directly include its C2 address. Instead, the malware contains URLs pointing to legitimate public platforms such as Telegram, where attackers embed the actual C2 address in a profile description, a post, or an account bio. When Vidar lands on a victim system it reaches out to these URLs to retrieve the real C2 details dynamically, thereby evading static detection and blocking, Intrinsec said.Related:How Dark Reading Lifted Off the Launchpad in 2006Intrinsec's recommendations for protecting against Vidar include enabling multifactor authentication for browser-related accounts to mitigate credential theft, deploying DNS filtering and secure Web gateways to block known malicious domains and IP addresses, and using sandbox solutions to analyze email attachments and URLs. About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Vidar has risen to dominate the chaotic infostealer market following significant disruptions to its primary rivals, Lumma and Rhadamanthys, orchestrated through law enforcement actions in 2025 and 2026. Intrinsec’s in-depth analysis, a 43-page report, reveals that Vidar, initially launched in 2018, became the most prevalent infostealer within the Russian Market cybercrime ecosystem since November 2025, displacing the previously leading malware. This shift was driven by Vidar’s operator’s strategic response to the takedowns—a major upgrade and expanded distribution network—positioning it as a preferred alternative for cybercriminals. The malware, a high-volume, broad-spectrum credential harvester, is utilized by groups like Scattered Spider, increasing its overall deployment. According to the report, the effectiveness of Vidar is amplified by its collaboration with “Cloud” channels on Telegram, such as Kata Cloud, Poltergeist Cloud, and Omega Cloud, facilitating the exchange of stolen credentials and advertising the malware’s capabilities. Vidar’s operational design, including the use of “dead drop resolvers” to obfuscate its Command and Control (C2) infrastructure, further contributes to its resilience and evasion of detection. Specifically, the malware targets a wide range of sensitive data, encompassing saved passwords, browser cookies, autofill data, and cryptocurrency wallet information across popular browsers. Exfiltrated data is quickly monetized on underground marketplaces, enabling adversaries to perform actions like account takeover, lateral movement within networks, ransomware deployment, and privilege escalation. Intrinsec recommends bolstering defenses through multi-factor authentication, DNS filtering, and the deployment of sandbox solutions. The French cybersecurity firm, led by Jai Vijayan, emphasizes the importance of recognizing the evolving threat landscape and continuously adapting security measures to mitigate the risks posed by this increasingly dominant infostealer.