The New King of Infostealers: Vidar 2.0 Emerges with Polymorphic Evasion
In recent weeks, the activity of the Vidar Stealer malware has surged dramatically — its new version 2.0 emerged amid the decline of Lumma Stealer’s dominance and has already captured the attention of cybercriminal communities. The updated Vidar introduces substantial technical refinements, including a complete architectural overhaul, advanced evasion mechanisms, and the ability to steal data simultaneously from multiple sources. Its developer, known by the alias Loadbaks, announced the release on October 6 across underground forums, with infection spikes detected only days later.
The key technical distinction of this version is the complete transition from C++ to the C programming language, which, according to the author, enhances both stability and performance. Vidar now operates on a multithreaded architecture, dynamically scaling thread counts based on the infected system’s capabilities — a change that accelerates data collection while reducing the likelihood of detection before the operation’s completion.
The methods of data extraction have also been greatly enhanced. Vidar 2.0 now bypasses modern browser protection mechanisms, injecting itself into Chrome processes and evading the AppBound system, which ties encryption keys to specific applications. This enables attackers to retrieve saved passwords and sensitive information directly from browser memory, eliminating the need for disk decryption. The malware targets data from Chrome, Firefox, popular messaging platforms, cloud services, and cryptocurrency wallets alike.
A major innovation is the integrated obfuscation system: every Vidar instance is now generated with a unique signature through an internal morphing engine, rendering static analysis virtually futile as antivirus engines struggle to adapt to the constantly evolving codebase. The malware also employs control flow flattening, implementing a sophisticated state-switching mechanism that complicates reverse engineering — a technique previously observed in other stealers such as Lumma, suggesting shared design philosophies within this malware family.
During infection, Vidar 2.0 executes a sequence of checks — detecting debuggers, sandbox environments, and analyzing hardware configurations. Once verification is complete, the malware begins parallelized data harvesting, targeting saved credentials, browser histories, cookies, autofill data, cryptocurrency keys, and user information from Telegram, Discord, Steam, and various cloud platforms, along with documents and files from local directories and external drives.
The utility even captures screenshots before encrypting and transmitting collected data to its command server via HTTP forms, Telegram channels, or Steam profiles repurposed as communication relays.
After data collection concludes, the malware terminates its threads, wipes temporary artifacts, and silently exits, leaving minimal forensic traces and complicating investigation efforts. Expert analysis reveals that Vidar 2.0’s architecture and operational behavior are meticulously engineered for long-term, covert deployment.
Given its technical maturity, adaptability, and modest pricing (around $300), Vidar 2.0 is poised to fill the void left by Lumma’s decline and may become one of the most sought-after data-stealing platforms in the final quarter of 2025.
Security specialists warn that detecting this threat requires a multi-layered defense approach, incorporating behavioral analytics, strict digital hygiene, and careful credential management to mitigate the risks posed by this increasingly sophisticated stealer.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
