A brief look at all things infostealers for the week 41, 2025 (06.10.2025–12.10.2025). A major update in the Vidar infostealer. Grabbed some numbers from marketplaces and some interesting news/articles.
Note: The update posts are copy-pasted as is (and machine-translated with DeepL.com if post wasn’t available in English, possibly with some minor edits by me).
Infostealer Updates
Vidar
VIDAR STEALER v2.0 — The legend is back!
Friends, we are finally ready to tell you what we have been working on over the past few months.
After a long and difficult period, we have completely revamped the product. This is not just an update — it’s a new era.
What has changed inside:
- We rewrote all the software from C++ to C, which resulted in a huge increase in stability and speed.
- We implemented unique appBound methods that are not found in the public domain.
- We added an automatic morfer, thanks to which each build is now unique.
- A hidden error reporting system has been built in — we can debug in real time without user intervention.
How this benefits users:
- Completely new software that is not detected by antivirus programs.
- Multithreading for operation and sending.
- High speed and protection against bots.
- Stable data collection without crashes or errors.
- Ability to switch between two different memory injection systems online, without rebuilding — one replaces the other when necessary.
A unique multithreading system allows for the most efficient use of multi-core processor resources. It performs data collection tasks in parallel threads, which significantly speeds up the process. But most importantly, we have implemented multithreaded file transfer, which speeds up not only the processing and collection of logs, but also their transfer.
The price remains unchanged at $300 since 2018. We strive to keep it unchanged for as long as possible, while maintaining the highest level of service and product quality.
What’s in development right now:
A new modern design for the project, which will soon be available to everyone.
Transfer to a new server — powerful, fast, and reliable:
-> AMD EPYC 9654 (3.7GHz, 96 Cores) ×2
-> DDR5 4800MHz 64GB SAMSUNG ECC RDIMM ×24
-> Kingston SEDC3000ME 15.36TB ×6
-> Samsung 980 PRO M.2 500GB ×2
A little about us and our journey:
We have been with you since 2018.
We have always prioritized quality and stability.
Yes, it was a difficult period—complex development, revisions…
But we did not give up. We found the strength to rewrite everything, improve it, and relaunch it for the new market conditions.
Now VIDAR v2.0 is a new breath of life, new strength, and a new level of technology.
The project has literally risen like a phoenix.
All previous updates were just a warm-up for what we have done now.
We would like to thank everyone who stayed with us and supported us along the way.
Soon you will see how far we have come.
VIDAR v2.0 is already here.
And this is just the beginning.
And now for the technology stack
- Pure C (C99) — without C++ Runtime, STL, and exceptions
- Custom minimalistic CRT — complete independence from system libraries
- NT API — direct access to the Windows kernel, bypassing antivirus hooks
Performance:
- +30-50% performance thanks to NT API
- -60% binary file size (no Runtime dependencies)
- Adaptive algorithms for fast and slow PCs
Compatibility:
- Windows XP → Windows 11 (32/64 bit)
- No dependencies on Runtime DLL
- Works on any system “out of the box”
Architecture:
- Modular structure — easy to expand and maintain
- OLLVM runtime obfuscation — protection against reverse engineering
- Minimal attack surface — fewer antivirus interceptions
Screenshot from XSS forum
New version — 16.1!
Well, friends, just a couple of days have passed, and we’re back with an update!
This time, we really have something to be excited about
We have completely redesigned the backend and data decryption — now everything works more stably and faster.
Let’s be honest, there used to be some issues with information processing — sometimes cookies or passwords would get lost, but now there are no such problems at all!
We’ve created a new file morph for everyone — clean, neat, and pleasant. Just don’t forget to encrypt it, it’s important!
We’ve now implemented not only multi-threaded file processing, but also sending to 10 or more threads simultaneously to the server! Now your data arrives on the server very quickly!
We have a lot of ideas ahead of us, we will not only fix the old, but also add new functionality.
Thank you to everyone who is with us — you are the best
Screenshot from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, the victim numbers in the countries of the Nordic region. In addition, see the CryptPad spreadsheet for all more broad numbers.
Marketplace Updates Spreadsheet
Russian Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 6,968,478 |
| Vidar | 562,560 |
| RisePro | 145,549 |
| StealC | 751,031 |
| RedLine | 192,181 |
| Acreed | 620,921 |
| Raccoon | 5,086 |
| Rhadamanthys | 290,511 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,100,702 |
| Brazil | 695,009 |
| Indonesia | 536,051 |
| Egypt | 466,148 |
| Pakistan | 400,706 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 19,306 |
| Denmark | 10,549 |
| Norway | 8,550 |
| Finland | 6,896 |
| Iceland | 987 |
| Greenland | 141 |
| Faroe | 94 |
| Åland | 22 |
Exodus Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 474,654 |
| Rhadamanthys | 107,151 |
| RedLine | 35,100 |
| StealC | 26,518 |
| Vidar | 11,417 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 71,735 |
| Brazil | 50,432 |
| Indonesia | 37,162 |
| USA | 28,773 |
| Philippines | 24,774 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 1,914 |
| Denmark | 1,050 |
| Norway | 820 |
| Finland | 603 |
| Iceland | 83 |
Articles/News
From infostealer to full RAT: dissecting the PureRAT attack chain
- https://www.bleepingcomputer.com/news/security/from-infostealer-to-full-rat-dissecting-the-purerat-attack-chain/
A taxonomy of Mac stealers: Distinguishing Atomic, Odyssey, and Poseidon
- https://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/
The ClickFix Factory: First Exposure of IUAM ClickFix Generator
- https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/
Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers
- https://www.pointwild.com/threat-intelligence/shuyal-stealer-advanced-infostealer-targeting-19-browsers
Inside Russian Market: Uncovering the Botnet Empire
- https://www.rapid7.com/blog/post/tr-inside-russian-market-uncovering-the-botnet-empire/