The 2025 Infostealer Ecosystem
If you think ransomware was the dominant cyber threat of 2025, we are here to tell you that you should re-consider :)
If you think ransomware was the dominant cyber threat of 2025, we are here to tell you that you should re-consider :)
Infostealers don’t lock your data or demand ransom. They quietly siphon your credentials, browser history, crypto wallets, session tokens, and sometimes even keys to your digital life all without alerting you.
What’s more, in 2025 they’ve evolved from blunt credential grabbers into sophisticated tools that rival even advanced ransomware in economic and operational impact.
Let’s unpack what’s driving this surge and how the infostealer ecosystem really works.
From Credential Theft to High-Velocity Data Harvesting
The category has existed for years, primarily focused on gathering login credentials and personal information.
But the 2025 landscape is different:
These tools now routinely extract high-value artifacts like 2FA tokens, session cookies, password vaults, and wallet secrets.
Some leverage sandbox evasion, hardware fingerprinting, and AppBound bypass techniques to slip past endpoint defenses unnoticed.
Distributed through malvertising, phishing, trojanized installers, and even poisoned AI search results, they exploit modern workflows — not just naive users.
Malware-as-a-Service Fuels the Infostealer Economy
One big factor behind the rise of infostealers is the malware-as-a-service (MaaS) model.
Instead of needing deep technical skills, would-be attackers rent plug-and-play malware kits with dashboards, support, and turnkey distribution options. This has two consequences:
Barriers to entry for cybercriminals are dramatically lower.
The volume of stolen data traded on underground markets has skyrocketed with millions of compromised credentials available at tiny prices.
Infostealers are no longer niche tools; they are commercial cybercrime products with recurring revenue streams.
The Big Five Leading the Charge in 2025
The infostealer ecosystem in 2025 is dominated by several prolific families, each with its own tactics, strengths, and implications:
Lumma Stealer
Once known as LummaC2, this malware is one of the most active players. It hides in plain sight using deceptive CAPTCHA pages and malvertising funnels. It also targets crypto wallets and 2FA extensions with high success.
Vidar 2.0
Now rewritten in efficient native code, Vidar extracts data in parallel, bypasses modern browser encryption, and frequently shows up bundled with other malware. Its polymorphic builds make detection harder.
RisePro
Often delivered by notorious loaders, RisePro blends into legitimate traffic and uses custom protocols to evade network inspection. When it appears, it usually signals a fully compromised environment.
Meduza
This lightweight, dependency-free stealer runs directly at the OS level and targets a very wide range of applications including minor browsers and credential stores. Its stealthy footprint makes it a nightmare for incident responders.
Atomic Stealer / AMOS
Once limited to Windows, variants of this malware now target macOS with click-based social engineering and even poisoned AI suggestions. These variants don’t just steal, they open backdoors for persistent access.
Infostealers Are Harder to Spot
Historically, infostealers entered systems through obvious phishing emails or cracked software. We highlight below the most popular distribution tactics:
Malvertising : ads that drop malware behind the scenes.
AI poisoning : tricking search engines and LLMs (like ChatGPT/Grok) into recommending malicious fixes.
Legitimate platform abuse: hiding malware within trusted services (like GitHub releases).
Vidar Analysis with ANY.RUN
We know that practical demonstration of theory is crucial so lets analyse one of the sample above in a VM environment.
The sample masquerades as a legitimate GitHub release (latest-x86.rar) but executes a Vidar information-stealing payload once unpacked and run. This is a credential-theft focused infection with C2 exfiltration over Telegram-related infrastructure and dead-drop resolution.
Detonation Link:
Initial Delivery & Masquerading
- Payload hosted on GitHub Releases, abusing trust in legitimate platforms.
- Filename implies HyperX / gaming software, a common lure.
This is a red flag because GitHub is often allow-listed in corporate environments where users are less suspicious of .rar installers from GitHub. SOC teams should not treat GitHub as inherently benign.
Process Analysis
Our main loader is:
Millennium.pif(PID 8920)
Key behaviors:
- Executes as a disguised
.piffile (legacy extension abuse). - Reads CPU info, Machine GUID, and product identifiers → classic fingerprinting.
- Checks proxy configuration → network evasion & routing awareness.
- Creates files in its execution directory → staging for payload/config.
These actions are textbook pre-exfil reconnaissance for stealers.
Persistence & Privilege Signals
Indicators raised by ANY.RUN:
- Process added to startup
- Integrity level elevation attempt
- Malware configuration loaded into memory
Vidar variants commonly establish light persistence to survive reboots long enough to exfiltrate. Integrity elevation attempts suggest either:
- UAC bypass attempts
- Or elevated context to access browser credential stores
Network Behaviour Analysis
Telegram-based infrastructure
- TLS SNI references to
t.me - Known Vidar behavior: exfiltration via Telegram bots
Dead Drop Resolver (DDR)
- Uses Steam community pages to retrieve dynamic C2 addresses.
- This allows attackers to rotate infrastructure without changing binaries.
Generic stealer domain chains
- Tagged as tgsteam — hybrid Telegram + Steam abuse
DDR makes static IOC blocking ineffective and Telegram traffic often blends into legitimate encrypted TLS traffic. This indicates active operator maintenance, not commodity malware left unattended.
Vidar IOCs
Hashes :
- MD5:
8AC6AD0E64E00D87030B107A50EEE678 - SHA1:
0E87207624F1DB7360485F6A84EA16D82F9D3DD9 - SHA256:
50FB89C465B197416ED034E6F2C302C5B4B4A4475AF7939AA25B2CA4391324AD
Detection signals:
- Detected by AV engines
- Suspicious PE structure
- Stealer-like behavioral heuristics
- Known malware configuration present
