Vidar Climbs to Top of Fragmented Infostealer Market

Vidar has emerged as the dominant infostealer in a market thrown into disarray after takedowns and infighting hit rivals like Lumma and RedLine. The malware-as-a-service operation has absorbed displaced affiliates and refined its delivery chains, capitalizing on a vacuum left by law enforcement disruption of competing brands.

The broader infostealer ecosystem remains volatile, with operators rebranding, splintering, and cycling through distribution channels — cracked software, malvertising, and phishing kits — to keep credential theft pipelines flowing. Stolen browser cookies, session tokens, and crypto wallet data continue to feed downstream ransomware and account-takeover operations.

For defenders, the shift means signature-based detection tied to specific stealer families is increasingly brittle. The center of gravity moves quickly, but the underlying tradecraft — and the credential markets it feeds — does not.