{ "id": "5e38186f-1668-424d-a0b7-2df48e4a0126", "created_at": "2026-04-06T00:21:20.984319Z", "updated_at": "2026-04-10T03:36:48.289721Z", "deleted_at": null, "sha1_hash": "f8194c31866f6407de6be1159f58c429e876d276", "title": "Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2509765, "plain_text": "Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades\r\nInfostealer Capabilities\r\nBy By: Junestherry Dela Cruz Oct 21, 2025 Read time: 7 min (1987 words)\r\nPublished: 2025-10-21 · Archived: 2026-04-05 13:39:25 UTC\r\nMalware\r\nTrend™ Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a\r\nmultithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that\r\nVidar is positioning itself to occupy the space left after Lumma Stealer’s decline.\r\nKey Takeaways:\r\nVidar 2.0’s release coincides with a decline in Lumma Stealer activity, resulting in a spike in threat actor\r\nadoption and heightened campaign activity.\r\nThe new version is completely rewritten in C, introducing multithreaded architecture for faster, more\r\nefficient data exfiltration and improved evasion capabilities.\r\nEnhanced credential extraction methods allowed Vidar 2.0 to bypass advanced browser security features,\r\nsuch as Chrome’s AppBound encryption, through direct memory injection.\r\nVidar 2.0 systematically targets a broad scope of data, including credentials from browsers, cloud services,\r\ncryptocurrency wallets, gaming platforms, and various communication apps such as Discord and Telegram.\r\nTrend Vision One™ detects and blocks the specific IoCs referenced in this article, while providing\r\ncustomers with access to hunting queries, actionable threat insights, and intelligence reports related to\r\nVidar Stealer.\r\nOn October 6, 2025, the developer known as \"Loadbaks\" announced the release of Vidar Stealer v2.0 on\r\nunderground forums. This new version features a complete transition from C++ to a pure C implementation,\r\nallegedly enhancing performance and efficiency. Its release coincides with a decline in activity surrounding the\r\nLumma Stealer, suggesting cybercriminals under its operation are exploring alternatives like Vidar and StealC.\r\nVidar 2.0 is said to introduce a range of concerning features, including advanced anti-analysis measures,\r\nmultithreaded data theft capabilities, and sophisticated methods for extracting browser credentials. With a\r\nconsistent price point of US$300, it offers attackers powerful tools that are both cost-effective and efficient.\r\nOverview of Vidar\r\nVidar originated in 2018 as an information stealer on Russian-language underground forums, initially leveraging\r\nthe Arkei stealer source code. It quickly gained traction due to its comprehensive ability to steal browser\r\ncredentials and cryptocurrency wallets, coupled with a stable, well-supported operation, and a competitive\r\nUS$300 lifetime price. Over the years, Vidar set itself apart from competitors like Raccoon and RedLine by\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 1 of 11\n\nconsistently adding support for new browsers, wallets, and two-factor authentication applications, maintaining a\r\nloyal user base through ongoing updates and reliable developer support.\r\nAccording to the October 2025 announcement, Vidar 2.0 features a complete architectural rework, with its\r\ndevelopers emphasizing improvements in performance, evasion techniques, and overall capabilities. The update is\r\ndescribed as a significant technical evolution, aiming to address previous limitations and maintaining its\r\neffectivity in a shifting threat landscape.\r\nFigure 1. Vidar developer announcing the release of version 2.0\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 2 of 11\n\nFigure 2. A major spike in Vidar activity after the release of version 2 monitored from Sept. to Oct.\r\n10, 2025\r\nWhat’s new in Vidar 2.0\r\nFour significant changes have been introduced in this new iteration of the Vidar stealer, chief among them being\r\nseveral core architectural and functional changes. In this section, we examine each one to better understand what\r\nhas changed and the implications of these changes.\r\nComplete C language rewrite\r\nAccording to the Vidar author \"Loadbaks,\" the development team \"rewrote the entire software from C++ to C —\r\nthis gave a huge increase in stability and speed.\" This fundamental architectural change represents a complete\r\ndeparture from the previous codebase, with the developers claiming significant performance improvements and\r\nenhanced stability through the elimination of C++ dependencies and runtime overhead.\r\nMultithreaded architecture\r\nThe Vidar author claims that \"the unique multithreading system allows extremely efficient use of multi-core\r\nprocessors. It performs data-collection tasks in parallel threads, greatly speeding up the process.\" This represents a\r\nsignificant enhancement to the malware's operational efficiency, promising faster data collection and exfiltration\r\nthrough parallel processing capabilities that can leverage modern multi-core processor architectures.\r\nBased on our analysis, the malware uses an advanced multi-threading system that automatically adjusts its\r\nperformance based on the victim's computer specifications. It scales its operations by creating more worker\r\nthreads on powerful systems and fewer threads on weaker machines, ensuring optimal performance without\r\noverwhelming the target system. This approach allows the malware to steal data from multiple sources\r\nsimultaneously - such as browsers, cryptocurrency wallets, and files - rather than processing them one at a time.\r\nThe parallel processing significantly reduces the time the malware needs to remain active on the system, making it\r\nharder for security software to detect and stop the theft operation.\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 3 of 11\n\nFigure 3. Thread count is dynamically calculated based on CPU Core count and available physical\r\nmemory\r\nBrowser credential extraction and AppBound bypass techniques\r\nVidar 2.0 has \"implemented unique appBound methods that aren't found in the public domain\" according to its\r\ndeveloper. This capability specifically targets Chrome's enhanced security measures introduced in recent versions,\r\nclaiming to bypass application-bound encryption that was designed to prevent unauthorized credential extraction\r\nby binding encryption keys to specific applications.\r\nBinary analysis reveals that Vidar 2.0 implements comprehensive browser credential extraction capabilities\r\ntargeting both traditional browser storage methods and Chrome's latest security protections across multiple\r\nbrowser platforms including Chrome, Firefox, Edge, and other Chromium-based browsers. Among its traditional\r\ncredential extraction techniques, the malware employs a tiered approach that includes systematic enumeration of\r\nbrowser profiles and attempting to extract encryption keys from Local State files using standard DPAPI\r\ndecryption.\r\nFigure 4. Vidar initially attempts traditional credential access methods such as extracting and\r\ndecryption of keys from Browser Local State files\r\nThe malware also employs an advanced technique that launches browsers with debugging enabled and injects\r\nmalicious code directly into running browser processes using either shellcode or reflective DLL injection. The\r\ninjected payload extracts encryption keys directly from browser memory, then communicates the stolen keys back\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 4 of 11\n\nto the main malware process via named pipes to avoid disk artifacts. This approach can bypass Chrome's\r\nAppBound encryption protections by stealing keys from active memory rather than attempting to decrypt them\r\nfrom storage.\r\nFigure 5. Encryption keys stolen from browser memory are sent back to malware process via named\r\npipes\r\nAutomatic polymorphic builder\r\nLastly, Vidar’s author also boasts an \"added an automatic morpher, so every build is now unique.\" This feature is\r\ndesigned to generate samples with distinct binary signatures, making static detection methods more difficult.\r\nBinary analysis reveals that the new version of Vidar employs heavy use of control flow flattening, implementing\r\ncomplex switch-case structures with numeric state machines that can make reverse engineering more difficult.\r\nThis obfuscation method transforms the natural program flow into a series of state transitions controlled by switch\r\nstatements, effectively obscuring the original program logic. This same control flow flattening technique has been\r\nobserved in Lummastealer samples, suggesting the adoption of similar obfuscation frameworks within the\r\ninformation stealer ecosystem.\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 5 of 11\n\nFigure 6. Control flow flattening obfuscation in Vidar 2.0\r\nVidar 2.0 technical analysis and execution flow\r\nVidar 2.0's execution flow reveals a carefully orchestrated sequence of operations designed to maximize data\r\ncollection while evading detection through advanced anti-analysis techniques, multithreaded processing, and\r\nadaptive evasion mechanisms.\r\nFigure 7. Vidar 2.0’s execution flow\r\nInitialization and Evasion (Phases 1-2): Vidar 2.0 begins execution with a comprehensive initialization phase\r\nthat establishes its multithreaded architecture and implements control flow obfuscation through complex state\r\nmachines. The malware then performs extensive anti-analysis checks including debugger detection, timing\r\nverification, system uptime validation, and hardware profiling to ensure execution only occurs on genuine victim\r\nsystems rather than analysis environments. These checks must all pass for execution to continue, with any failure\r\nresulting in immediate termination to evade sandbox detection.\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 6 of 11\n\nIntelligence Gathering and Data Theft (Phases 3-6): Following successful evasion, the malware conducts\r\nthorough system profiling to collect victim information before launching parallel credential theft operations across\r\nmultiple categories. The sophisticated browser credential extraction employs both standard DPAPI decryption and\r\nadvanced memory injection techniques to bypass Chrome's v20 AppBound encryption, while simultaneously\r\ntargeting cryptocurrency wallets, cloud credentials, communication applications, and gaming platforms. The file\r\ngrabber component systematically searches for valuable files across user directories and removable drives,\r\nfocusing on cryptocurrency keys and potential credential files.\r\nData theft capabilities\r\nBrowser credentials\r\nLogin Data - Chrome/Edge passwords\r\nWeb Data - Chrome/Edge autofill/credit cards\r\nlogins.json - Firefox passwords\r\nformhistory.sqlite - Firefox form history\r\n cookies.sqlite - Firefox cookies\r\nplaces.sqlite - Firefox browsing history\r\nkey4.db - Firefox master encryption key\r\npasswords.txt - Exported passwords\r\n\\Network\\Cookies - Network cookie files\r\nCryptocurrency\r\nwallets\r\nLocal Extension Settings - Browser wallet extensions\r\nSync Extension Settings - Synced wallet data\r\n\\IndexedDB\\chrome-extension_ - Extension databases\r\n0.indexeddb.leveldb - LevelDB wallet storage\r\n\\Monero - Monero wallet directory\r\nCloud credentials\r\n\\.aws - AWS CLI credentials\r\n\\.azure - Azure CLI credentials\r\n\\.IdentityService - Azure identity tokens\r\nmsal.cache - Microsoft Authentication Library cache (Office 365, Azure AD\r\ntokens)\r\nFTP/SSH credentials\r\n\\AppData\\Roaming\\FileZilla\\recentservers.xml\r\nSoftware\\Martin Prikryl\\WinSCP 2\\Sessions\r\nSoftware\\Martin Prikryl\\WinSCP 2\\Configuration \r\nGaming/social\r\nplatforms loginusers.vdf - Steam login sessions\r\nlibraryfolders.vdf - Steam library info\r\nconfig.vdf - Steam configuration\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 7 of 11\n\nDialogConfig.vdf - Steam dialog settings\r\nssfn* - Steam Guard files\r\n\\Telegram Desktop\\* - Telegram data\r\nDiscord token files\r\nCommunication app session files\r\nTargeted browsers Chrome, Microsoft Edge, Opera, Opera GX, Vivaldi, Firefox, Waterfox, Palemoon\r\nTable 1. Summary of Vidar 2.0’s data theft capabilities\r\nExfiltration and Cleanup (Phases 7-9): The final phases involve screenshot capture for additional intelligence\r\nvalue, followed by comprehensive data packaging and exfiltration through HTTP multipart form submissions to a\r\nround-robin command-and-control (C\u0026C) infrastructure that includes Telegram bots and Steam profiles as\r\ncommunication channels. The malware employs different operation modes to categorize stolen data and uses\r\nspecific authentication tokens and build identifiers for tracking and victim management. Execution concludes with\r\nsystematic cleanup of temporary artifacts and proper thread pool shutdown, demonstrating the malware's attention\r\nto operational security and forensic evasion.\r\nFigure 8. Initialization and configuration of C\u0026C server communication\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 8 of 11\n\nMITRE ATT\u0026CK Matrix\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nDefense Evasion\r\nT1622 Debugger Evasion\r\nT1497.001 Virtualization/Sandbox Evasion\r\nT1027 Obfuscated Files or Information\r\nT1055.001 Process Injection: Dynamic-link Library Injection\r\nT1055.002 Process Injection: Portable Executable Injection\r\nDiscovery\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nT1087.001 Account Discovery: Local Account\r\nT1518.001 Software Discovery: Security Software Discovery\r\nCredential Access\r\nT1555.003\r\nCredentials from Password Stores: Credentials from Web\r\nBrowsers\r\nT1555 Credentials from Password Stores\r\nT1552.001 Unsecured Credentials: Credentials In Files\r\nT1528 Steal Application Access Token\r\nCollection\r\nT1005 Data from Local System\r\nT1113 Screen Capture\r\nCommand and\r\ncontrol\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1102.001 Web Service: Dead Drop Resolver\r\nT1573 Encrypted Channel\r\nExfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nT1020 Automated Exfiltration\r\nTable 2. Observed MITRE ATT\u0026CK tactics and techniques of Vidar Stealer 2.0\r\nConclusion\r\nAs Lumma Stealer activity continues to decline and underground actors migrate to Vidar and StealC alternatives,\r\nsecurity teams should anticipate increased Vidar 2.0 prevalence in campaigns through Q4 2025. The malware's\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 9 of 11\n\ntechnical capabilities, proven developer track record since 2018, and competitive pricing position it as a likely\r\nsuccessor to Lumma Stealer's dominant market position.\r\nVidar 2.0’s streamlined exfiltration routines, broader data stealing ability, and increased resistance to takedown\r\nmeasures, all aim toward a higher success rate for attacks and data breaches. Its enhanced anti-analysis features\r\nand rapid self-deletion also present additional challenges for detection and investigation.\r\nVidar’s evolution comes at an opportune time. Whether this is by design or coincidence, proactive defense and\r\ncontinuous monitoring in combating infostealers remain as critical as ever. Organizations must ensure endpoint\r\nsolutions are fully utilized and updated, while maintaining strong policies for credential management and user\r\neducation, to protect against evolving threats like Vidar.\r\nProactive security with Trend Vision One™\r\nTrend Vision One™one-platform is the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management and security operations, delivering robust layered protection across on-premises,\r\nhybrid, and multi-cloud environments.\r\nTrend Vision One™ Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access Trend Vision One™ Threat Insightsproducts,\r\nwhich provides the latest insights from Trend™ Research on emerging threats and threat actors.\r\nTrend Vision One Threat Insights\r\nEmerging Threats: Vidar Stealer v2.0: Emergence and Technical Analysis\r\nTrend Vision One Intelligence Reports (IOC Sweeping)\r\nVidar Stealer v2.0: Emergence and Technical Analysis\r\nHunting Queries \r\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nmalName:*VIDAR* AND eventName:MALWARE_DETECTION AND LogType: detection AND LogType:\r\ndetection\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights entitlement\r\nenabledproducts.\r\nIndicators of Compromise (IoCs)\r\nIndicators of Compromise can be found here.\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 10 of 11\n\nSource: https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nhttps://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html" ], "report_names": [ "how-vidar-stealer-2-upgrades-infostealer-capabilities.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434880, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f8194c31866f6407de6be1159f58c429e876d276.pdf", "text": "https://archive.orkl.eu/f8194c31866f6407de6be1159f58c429e876d276.txt", "img": "https://archive.orkl.eu/f8194c31866f6407de6be1159f58c429e876d276.jpg" } }