Vidar Malware Surges as Top Credential-Stealing Threat in Early 2026 A credential-stealing malware called Vidar has become one of the most active threats targeting corporate employees in early 2026. Cybercriminals are distributing the malware through fake software downloads promoted via YouTube videos, tricking victims into installing it and leading to the theft of login credentials, browser data, and cryptocurrency wallet information. The campaign’s scale and precision have drawn global attention from security researchers. Vidar’s rise follows the 2025 takedowns of Lumma and Rhadamanthys, two widely used infostealers, which left cybercriminals searching for alternatives. Vidar’s operators capitalized on the gap, releasing Vidar 2.0 in October 2025 with enhanced evasion techniques. Since then, it has dominated the Russian Market, a dark web hub for stolen data, based on monthly upload volumes. Security firm Intrinsec traced a full attack chain after a corporate employee at one of its clients was compromised. The attack began with a YouTube video advertising NeoHub, a fake software tool. The victim was redirected through a file-sharing site before downloading a malicious archive from Mediafire. The installation appeared legitimate, but the executable (NeoHub.exe) secretly loaded a second file (msedge_elf.dll), which contained the Vidar payload. The DLL was disguised as a Microsoft Edge component and signed with a fake code-signing certificate impersonating GitHub and other entities. Vidar employs advanced obfuscation, including a GO-based packer and control flow flattening, to evade detection. It retrieves its command-and-control (C2) server location from public Steam profiles and Telegram channels, allowing attackers to rotate infrastructure without updating the malware. The malware targets Chrome, Firefox, Edge, Opera, Vivaldi, Waterfox, and Palemoon, extracting passwords, cookies, credit card data, and cryptocurrency wallet files. Stolen credentials are sold on the Russian Market, exposing corporate networks to further attacks. CISA has linked Vidar to Scattered Spider, a notorious cybercriminal group, underscoring its role in high-risk campaigns.