A brief look at all things infostealers for the week 6, 2026 (02.02.2026 –08.02.2026). Updates in Bluefox, Santa, The Void stealers. Grabbed some numbers from marketplaces and few interesting news/articles for you to read.
Infostealer Updates
BLUEFOX Stealer
Update v3.1.2
1. Added x64 bit support for builds, 9 .exe implants are available for use.
2. Added support for creating shellcodes from builds, now donut and solutions based on it work correctly.
3. Added display of machine name and PC username to the admin panel.
4. Added additional confirmation for deleting logs from the admin panel.
Screenshot taken from XSS forum
SantaStealer
SantaStealerUpdate!
• 5 New Features · 2 Improvements · 2 Bug Fixes –(Only notable updates included)
——— NEW FEATURES ———
1.1 – Ability to choose how long each directory is scanned for important documents & crypto related files. Configure under the “Document & Crypto File Extractor” module configuration
1.2 – Added option to disable AntiVM. Only available when encryption is enabled.
1.3 – Added configuration option to the “Custom Payload” module, It can now download a payload from a URL instead of having to be binded to the executable.
1.4 – Created new ‘Updates’ tab displaying previous update history
1.5 – Added support for more coins to the crypto clipper module
——— IMRPVEMENTS ———
2.1 – Improved string encryption in general. Encrypted a lot of plaintext strings.
2.3 – Files dropped by the ‘Custom Payload’ module will now work even if they require UAC, UAC will be requested.
——— FIXES ———
3.1 – Fixed an issue with displaying the default file watermark configuration on the ‘Build’ tab
3.2 – Fixed an issue with “Custom Payload” moduleexecuting files silently even if they have a GUI
—This update is relatively small compared to our other updates. The next update will be much larger.
— Access the Santa Stealer WebPanel via stealer[.]su – generate an account and purchase a plan in less then 1 minute
Screenshot from SantaStealer’s Telegram channel
The Void Stealer
Update 1.4
- The Firefox password decryption method has been changed; previously, passwords were a bottleneck in data processing, causing logs to take a long time to process on the server side.
- Optimized rlay servers, speeding up relays; logs will now reach the control panel even faster.
- You can now install a private shim server on YOUR server for free.
- The syscall method has been changed.
Screenshot from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, the victim numbers in the countries of the Nordic region. In addition, see the CryptPad spreadsheet for more meaningless numbers.
Marketplace Updates Spreadsheet 2026
The below spreadsheet contains meaningless numbers taken in 2025:
Marketplace Updates Spreadsheet 2025
Russian Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,010,625 |
| Vidar | 1,004,035 |
| Acreed | 898,662 |
| StealC | 806,459 |
| Rhadamanthys | 575,280 |
| RedLine | 192,101 |
| RisePro | 145,521 |
| Raccoon | 5,070 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,233,549 |
| Brazil | 763,049 |
| Indonesia | 581,492 |
| Egypt | 493,898 |
| Pakistan | 423,315 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 23,864 |
| Denmark | 13,056 |
| Norway | 10,725 |
| Finland | 8,816 |
| Iceland | 1,162 |
| Greenland | 158 |
| Faroe | 111 |
| Åland | 24 |
Exodus Market
The marketplace was down, therefore no updates from the ExodusMarket.
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| StealC | – |
| Vidar | – |
| Lumma | – |
| Rhadamanthys | – |
| RedLine | – |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | – |
| Brazil | – |
| Turkey | – |
| USA | – |
| Bangladesh | – |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | – |
| Denmark | – |
| Norway | – |
| Finland | – |
| Iceland | – |
Articles/News
Technical Analysis of Marco Stealer
- https://www.zscaler.com/blogs/security-research/technical-analysis-marco-stealer
Infostealers without borders: macOS, Python stealers, and platform abuse
- https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/