New Vidar Stealer 2.0 Upgrades Infostealer Capabilities

In early October, a new version of the Vidar infostealer malware, dubbed Vidar Stealer 2.0, was released on underground dark web forums, marking a substantial upgrade over the previous version. This new version claims to improve efficiency and speed by switching from a C++ implementation to pure C programming. Additionally, Vidar 2.0 contains several concerning features, including sophisticated techniques for stealing browser credentials, multi-threaded data theft capabilities, and advanced anti-analysis tactics.
 

What’s Notable and Unique

• In addition to the switch in programming language, multithreading architecture, and credential extraction capabilities, Vidar 2.0 also features an automatic polymorphic “builder”, which generates unique malware samples, allowing it to better evade detection.
• Researchers note an increase in Vidar activity since its release, suggesting that threat actors are switching to the new version as an alternative to other stealer malware, such as Lumma Stealer. Lumma was one of the most prominent infostealers at the start of 2025, until law enforcement disrupted its infrastructure in May.

 

Analyst Comments

Arete has observed an increase in the use of information stealers and data collection by threat actors in 2025, and cybercriminals continue to evolve and adapt their tooling, as illustrated by the release of Vidar 2.0. The increase in activity in the short time since its release also suggests that Vidar 2.0 will likely remain a persistent threat for the remainder of 2025. Establishing best practices for credential management, strengthening endpoint security, and monitoring for unusual multi-threaded activities or exfiltration can help mitigate the risks posed by infostealers like Vidar 2.0.
 

Sources

Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities