The year 2025 saw many shifts in the stealer ecosystem, mainly due to international police operations leading to the takedowns of Lumma and Rhadamanthys infrastructure. However, the chaos resulting from their disruption created more opportunities for competitors, including Vidar.
Key findings
- The state of Vidar in the beginning of 2026. Following major takedowns affecting Lumma and Rhadamanthys, Vidar profited from the generated chaos to rise to the top of the stealer ecosystem. We assess that this rise was made available due to the release of version 2.0 of the malware, and to the collaboration with “Cloud” Telegram channels.
- Details on a kill-chain that infected corporate employees. We were able to analyse the whole kill-chain starting from the download of a fake software advertised on YouTube, unpacking of the Vidar stealer and selling of credentials on Russian Market.
- Analysis of the Vidar sample. While the new version of the malware was already recently analysed by other editors, we gave details on the C2 recovery mechanism using dead drop resolvers, control flow flattening to slow down analysis. The discovery of an unpacked sample potentially uploaded by a Russian threat actor on VirusTotal reveals the classic stealing capabilities.
- Details on the infrastructure used by Vidar. This infrastructure was previously identified in our Acreed analysis; however, we were able to determine the use of some of the domains for the generation of built payloads by clients of Vidar.
Intrinsec's CTI services
Organizations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in January 2026, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR, etc.), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients' existing tools (EDR, XDR, SIEM, …) through:
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
- Digital risk monitoring:
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
For more information, go to intrinsec.com/en/cyber-threat-intelligence/.
