Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities

Trend Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a multithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that Vidar is positioning itself to occupy the space left after Lumma Stealer’s decline.

Malware

Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities

Trend™ Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a multithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that Vidar is positioning itself to occupy the space left after Lumma Stealer’s decline.

By: Junestherry Dela Cruz

Oct 21, 2025

Read time: ( words)

Save to Folio

Key Takeaways:

• Vidar 2.0’s release coincides with a decline in Lumma Stealer activity, resulting in a spike in threat actor adoption and heightened campaign activity.

• The new version is completely rewritten in C, introducing multithreaded architecture for faster, more efficient data exfiltration and improved evasion capabilities.

• Enhanced credential extraction methods allowed Vidar 2.0 to bypass advanced browser security features, such as Chrome’s AppBound encryption, through direct memory injection.

• Vidar 2.0 systematically targets a broad scope of data, including credentials from browsers, cloud services, cryptocurrency wallets, gaming platforms, and various communication apps such as Discord and Telegram.

• Trend Vision One™ detects and blocks the specific IoCs referenced in this article, while providing customers with access to hunting queries, actionable threat insights, and intelligence reports related to Vidar Stealer.

On October 6, 2025, the developer known as "Loadbaks" announced the release of Vidar Stealer v2.0 on underground forums. This new version features a complete transition from C++ to a pure C implementation, allegedly enhancing performance and efficiency. Its release coincides with a decline in activity surrounding the Lumma Stealer, suggesting cybercriminals under its operation are exploring alternatives like Vidar and StealC.

Vidar 2.0 is said to introduce a range of concerning features, including advanced anti-analysis measures, multithreaded data theft capabilities, and sophisticated methods for extracting browser credentials. With a consistent price point of US$300, it offers attackers powerful tools that are both cost-effective and efficient.

Overview of Vidar

Vidar originated in 2018 as an information stealer on Russian-language underground forums, initially leveraging the Arkei stealer source code. It quickly gained traction due to its comprehensive ability to steal browser credentials and cryptocurrency wallets, coupled with a stable, well-supported operation, and a competitive US$300 lifetime price. Over the years, Vidar set itself apart from competitors like Raccoon and RedLine by consistently adding support for new browsers, wallets, and two-factor authentication applications, maintaining a loyal user base through ongoing updates and reliable developer support.

According to the October 2025 announcement, Vidar 2.0 features a complete architectural rework, with its developers emphasizing improvements in performance, evasion techniques, and overall capabilities. The update is described as a significant technical evolution, aiming to address previous limitations and maintaining its effectivity in a shifting threat landscape.

[Figure 1. Vidar developer announcing the release of version 2.0]

Figure 1. Vidar developer announcing the release of version 2.0

[Figure 2. A major spike in Vidar activity after the release of version 2 monitored from Sept. to Oct. 10, 2025]

Figure 2. A major spike in Vidar activity after the release of version 2 monitored from Sept. to Oct. 10, 2025

What’s new in Vidar 2.0

Four significant changes have been introduced in this new iteration of the Vidar stealer, chief among them being several core architectural and functional changes. In this section, we examine each one to better understand what has changed and the implications of these changes.

Complete C language rewrite

According to the Vidar author "Loadbaks," the development team "rewrote the entire software from C++ to C — this gave a huge increase in stability and speed." This fundamental architectural change represents a complete departure from the previous codebase, with the developers claiming significant performance improvements and enhanced stability through the elimination of C++ dependencies and runtime overhead.

Multithreaded architecture

The Vidar author claims that "the unique multithreading system allows extremely efficient use of multi-core processors. It performs data-collection tasks in parallel threads, greatly speeding up the process." This represents a significant enhancement to the malware's operational efficiency, promising faster data collection and exfiltration through parallel processing capabilities that can leverage modern multi-core processor architectures.

Based on our analysis, the malware uses an advanced multi-threading system that automatically adjusts its performance based on the victim's computer specifications. It scales its operations by creating more worker threads on powerful systems and fewer threads on weaker machines, ensuring optimal performance without overwhelming the target system. This approach allows the malware to steal data from multiple sources simultaneously - such as browsers, cryptocurrency wallets, and files - rather than processing them one at a time. The parallel processing significantly reduces the time the malware needs to remain active on the system, making it harder for security software to detect and stop the theft operation.

[Figure 3. Thread count is dynamically calculated based on CPU Core count and available physical memory]

Figure 3. Thread count is dynamically calculated based on CPU Core count and available physical memory

Browser credential extraction and AppBound bypass techniques

Vidar 2.0 has "implemented unique appBound methods that aren't found in the public domain" according to its developer. This capability specifically targets Chrome's enhanced security measures introduced in recent versions, claiming to bypass application-bound encryption that was designed to prevent unauthorized credential extraction by binding encryption keys to specific applications.

Binary analysis reveals that Vidar 2.0 implements comprehensive browser credential extraction capabilities targeting both traditional browser storage methods and Chrome's latest security protections across multiple browser platforms including Chrome, Firefox, Edge, and other Chromium-based browsers. Among its traditional credential extraction techniques, the malware employs a tiered approach that includes systematic enumeration of browser profiles and attempting to extract encryption keys from Local State files using standard DPAPI decryption.

[Figure 4. Vidar initially attempts traditional credential access methods such as extracting and decryption of keys from Browser Local State files]

Figure 4. Vidar initially attempts traditional credential access methods such as extracting and decryption of keys from Browser Local State files

The malware also employs an advanced technique that launches browsers with debugging enabled and injects malicious code directly into running browser processes using either shellcode or reflective DLL injection. The injected payload extracts encryption keys directly from browser memory, then communicates the stolen keys back to the main malware process via named pipes to avoid disk artifacts. This approach can bypass Chrome's AppBound encryption protections by stealing keys from active memory rather than attempting to decrypt them from storage.

[Figure 5. Encryption keys stolen from browser memory are sent back to malware process via named pipes]

Figure 5. Encryption keys stolen from browser memory are sent back to malware process via named pipes

Automatic polymorphic builder

[...]

Original source