A brief look at all things infostealers for the week 9, 2025 (24.02.2025–02.03.2025). Oh boy, I am so late with this blog post. Got caught in work/family life and felt lazy to even simply copy-paste stuff. This week observed updates from LummaC2, Vidar and XFiles infostealers. A new stealer was advertised on XSS forum, but seems not that successfully, as the post was closed and the poster was asked to make a deposit to in-forum wallet. Grabbed some numbers from marketplaces and have some interesting reports/articles about stealers.
I ought to expand my net, there are other forums where similar-ish content is published. The reason I am stuck to the XSS forum is that the most popular infostealers are present there. I went through the BreachForums and noted several posts about new-ish/emerging infostealers; however, I am a bit hesitant should I cover those or not. Here’s the thingy, there are tonnes of stealers out there, but the most majority of them will not really take off. And this is most of all a time issue, you know, work/family and puff the day has gone by.
Another issue I was pondering about is the structure of these posts. I realise that maybe dumping everything as a wall of text is not super reader friendly. Maybe a table of contents would be useful. Need to experiment a bit.
And in unlikely scenario of someone reading/using my posts, please, give me a feedback or make some suggestions on what else you would like to see covered in infostealers.
Infostealer Updates
LummaC2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English)
Update 24.02
- Optimized performance by reducing the number of file operations
- Optimized work with sessions
- Optimized antifraud from the last update
- Improved security
- Refined and optimized event system for future updates
- Cleaned WD 10/11 + Cloud + Run-Time
Screenshot from XSS From
Update 27.02
- Added API methods to work with improved pads
- Fixed uploading when sending to Telegram via /away link
- Cleaned WD 10/11 + Cloud
Screenshot from XSS Forum
Vidar
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English)
There has been a fairly global update and quite nice fixes
- Finally, we were able to sort out the wallets and were able to raise the quality of their reception….. Now the files do not come broken and come in a complete set….
- Also, these fixes helped to establish a normal way to collect Telegram and Discord! Now the files come in full
- Fixed bugs that could skip cookie files – we also fixed this and now the collection is almost constant and correct.
- Started to change pad domains 2 times a day! We put domains trusted, good! A large stock, which positively affects the bounce!
- You do not need to do rebuild, domains are changed dynamically and do not need to change the build! Current domains work no worse than personal, and maybe even better!
All this for $300 per month and discounts for a larger term purchase!
We are trying for you, and soon we will release Vidar 2.0, where the project will be completely redesigned
- New modern and user-friendly interface
- New marketing department and great support team in different languages.
- Completely rewritten BUILD from scratch, not using old code, using modern methods.
- Wrote our own morpher which will keep even better runtime and speed up our clean-up!
Write, contact…..
Screenshot from XSS Forum
XFiles
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English)
HiddenVNC
Native stab, written in the C programming language, stab written from scratch.
System calls are used wherever possible, in other cases WinAPI is used, no third-party libraries are used or required.
Work with bots occurs through a responsive Web interface, the panel allows you to work with several bots simultaneously.
Communication between bots and the server occurs via the HTTP protocol using its own encryption, bots do not know the real IP of the server to which they will connect, they will connect to “proxy domains”, which increases survivability.
Gasket system (proxy) – we do not show the IP where the connection from the bot to your server occurs, due to this, the survivability of the bot increases.
Personal server – for each Spyware client, we set up a personal server, bots will connect to your server via gaskets.
Convenient control panel in the Browser – the ability to manage several bots simultaneously from one or several accounts (teamwork), support for Light and Dark interface themes.
At the moment, several modules have been created:
- The same keyboard layout as the selected bot is availab
- Basic
- View and stop Windows processes
- Loader: launch commands via Shell Execute for the bot
- Download And Execute: download and run files for the bot, HTTP and HTTPS links are supported.
- Mass disabling of bots
- Mass deletion of bots
- HVNC (Hidden VNC, Hidden session similar to VNC)
- Hidden screen for controlling the victim’s device allows you to work at a speed of up to 30 FPS (depending on their and your connection stability)
- Ability to set the image quality
Clipper
Clipper crypto wallet substitution, currently we support substitution
- Bitcoin Legacy and P2SH Addresses
- Bitcoin Bech32 Addresses
- Monero (XMR) Standard addresses
- Stellar (XLM)
- Ripple (XRP)
- Litecoin (Legacy) (LTC)
- Litecoin (Bech32) (LTC)
- Neocoin (NEO)
- Bitcoin Cash (Legacy and New)
- Dashcoin (DASH)
- Dogecoin (DOGE)
- Binance chain (BEP2)
- Ethereum (ETH) (ERC-20) or (BEP-20)
- TRON (TRX) or (TRC-20)
- Zcash (ZEC)
We can add other protocols (and not only) at your request
Keylogger Live
– Full logging of bot keystrokes on any layout, including key modifiers such as Ctrl, Shift
- Ability to set the frequency of receiving logs from the bot
- Tasks (under development)
- Ability to create tasks for bots based on rules
- Other modules can be implemented at the request of the client
Spyware installation for you takes up to 2 days, but usually it happens in 1.
Mi6 Stealer
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English)
**We developed a tool that steals information from Windows without using common, known methods.
Platforms: Windows
Feature:
1= Grabber Browsers Data (Chrome , Opera , Firefox , All Browser)
2= Wifi Passwords
3= Browser Password
4= Vpn Grabber (Open Vpn , Proton Vpn)
5= Google Token Grabber
6= Grabber Cookies
Price:
$500/one time payment
$100/monthly
Customization : Determined according to your request
Autorun feature will be added soon!
buy & Demo
dm me just xss
Screenshot from XSS Forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,647,632 |
| RisePro | 1,429,858 |
| Vidar | 1,293,117 |
| StealC | 1,005,352 |
| RedLine | 790,159 |
| Raccoon | 330,383 |
| Acreed | 7,301 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,254,318 |
| Brazil | 991,503 |
| Indonesia | 680,541 |
| Egypt | 628,625 |
| Pakistan | 611,210 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 20,440 |
| Denmark | 10,934 |
| Norway | 8,431 |
| Finland | 7,215 |
| Iceland | 1,050 |
| Faroe | 100 |
| Åland | 16 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| RedLine | 105,544 |
| Lumma | 101,778 |
| Vidar | 56 |
| Unknown | 10 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| Peru | 7,306 |
| Turkey | 7,176 |
| India | 6,307 |
| Pakistan | 6,285 |
| Vietnam | 5,822 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Norway | 143 |
| Sweden | 96 |
| Denmark | 47 |
| Finland | 44 |
| Iceland | 10 |
Articles/News
Infostealer Campaign against ISPs
- https://www.splunk.com/en_us/blog/security/infostealer-campaign-against-isps.html
Fake CAPTCHAs, Malicious PDFs, SEO Traps Leveraged for User Manual Searches
- https://www.netskope.com/blog/fake-captchas-malicious-pdfs-seo-traps-leveraged-for-user-manual-searches
EncryptHub breaches 618 orgs to deploy infostealers, ransomware
- https://www.bleepingcomputer.com/news/security/encrypthub-breaches-618-orgs-to-deploy-infostealers-ransomware/
RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector
- https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/