Ransomware, Malware, Threat Intelligence

Vidar Stealer 2.0: What to know about new infostealer features

Vidar Stealer 2.0 debuted with new features, including a complete rewrite from C++ to C and a speedy multithreading system, Trend Micro revealed in a technical analysis Tuesday.

The Vidar Stealer malware-as-a-service (MaaS) has been around since 2018 and is one of the most popular infostealers in circulation, rivaling other popular stealers like LummaC2, RedLine and Racoon Stealer.

In the second half of 2024, Vidar was used to steal more than 65 million passwords and was the second most common infostealer, seen in 17% of cases, according to a report by KrakenLabs and Specops.

Following the decline of LummaC2 due to law enforcement action earlier this year, Vidar has seen a rise in use and positions itself as a competitive alternative with a low $300 lifetime cost and regular updates.

The new version, which was announced on Oct. 6, 2025, is completely rewritten in C and adds new features to increase efficiency, stealth and effectiveness, Trend Micro said.

A new multi-threading system now allows parallel processing — in other words, the malware can steal data from multiple sources at the same time. The malware first determines the core count and physical memory availability of the victim system and tailors its multithreading process to the system’s capabilities.

This increase in efficiency allows the stealer to shorten the time of attacks, therefore shortening the window for detections and emphasizing the importance of early detection and response.

Vidar Stealer 2.0 also includes a polymorphic builder that generates Vidar samples with unique binary signatures. This serves to reduce the effectiveness of static analysis tools that are reliant on indicators of compromise (IoCs) from previous samples.

In addition to this new stealth mechanism, a binary analysis by Trend Micro found that Vidar Stealer 2.0 also includes control flow flattening, which obfuscates the malware’s execution path and makes it difficult to reverse engineer.

For browser credential extraction, Vidar Stealer 2.0 employs a new technique designed to sidestep the AppBound encryption feature seen in Google Chrome and other Chromium browsers. It does this by launching browsers with debugging enabled and injecting malicious code into browser processes as they are running, Trend Micro’s analysis found. This code serves to extract encryption keys directly from active browser memory, bypassing the AppBound features that protects stored keys.

Vidar infostealer activity spiked shortly after the release of the new 2.0 version, signaling interest in the MaaS’ updated features.  

“As Lumma Stealer activity continues to decline and underground actors migrate to Vidar and StealC alternatives, security teams should anticipate increased Vidar 2.0 prevalence in campaigns through Q4 2025,” Junestherry Dela Cruz of Trend Micro wrote in the report.

“Organizations must ensure endpoint solutions are fully utilized and updated, while maintaining strong policies for credential management and user education, to protect against evolving threats like Vidar,” the report concluded.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds