VIDAR , a credential-stealing malware lurking in the cybercriminal ecosystem since 2018, has risen to the top of the chaotic infostealer market following this year’s law‑enforcement takedowns of Lumma and Rhadamanthys. According to Intrinsec, Vidar’s author carried out a major upgrade and expanded its distribution network during the disruption, fuelling its rise as a go‑to option for cybercriminals.
The 43‑page Intrinsec report describes Vidar as the most used infostealer on Russian Market, a cybercrime marketplace, since November 2025, having displaced Lumma and Rhadamanthys after their respective takedowns in May 2025 and November 2025. The malware is used by some high‑profile threat groups, including Scattered Spider, and its growing client base means more threat actors are deploying it against corporate networks.
Intrinsec notes distribution methods range from phishing attachments and social engineering to campaigns on Telegram cloud channels, which advertise stolen credentials and help attract more clients. 28 April 2026.