When a software tool designed to steal secrets becomes the subject of a public feud, who pays the price: the buyers, the developers — or the millions of people whose credentials and finances are traded like commodities? That is the moral and operational dilemma exposed by the recent Lumma Stealer episode and the simultaneous emergence of a retooled Vidar 2.0. Security researchers warn this is not mere infighting among criminals; it is a signal that the underground market is professionalizing and escalating in ways that matter to every organization that relies on digital identity.
At the heart of the story are two related developments. First, Lumma Stealer — a commercial, turnkey credential- and cookie-stealing product — was publicly doxxed, an event that revealed not just code and customers but the market mechanics of illicit toolmaking. Second, Trend Micro and other analysts have documented a refreshed Vidar 2.0 variant, and they advise security teams to anticipate increased Vidar 2.0 prevalence through Q4 2025. Together, these events illuminate an ecosystem where reputation, competition and rapid upgrades shape attacker behavior just as they do legitimate software markets .
Background: what Lumma, stealers and Vidar mean in practice
Stealers are malware families that harvest credentials, cookies, saved form data and other authentication tokens from browsers, password stores and applications. They are sold as-aservice products to buyers who then monetize the data through account takeovers, fraud and resale. Lumma Stealer’s exposure — the leaking of vendor and customer information — shows how even criminal markets are subject to branding disputes, reviews and sabotage. The episode revealed the layered harms of this economy: developers create the tools, buyers monetize them, and rival vendors or resellers weaponize leaks to damage competitors or reposition market share .
Vidar, historically a prolific stealer, has returned in new guise as Vidar 2.0. Security firms have observed functional upgrades and increasing distribution in campaigns. Trend Micro’s assessment — that security teams should expect greater Vidar 2.0 prevalence through late 2025 — underscores that defenders are unlikely to see a drop in stealer-based activity any time soon. Vidar’s renewed presence likely reflects both technical improvements and a steady demand for harvested credentials across criminal markets .
What’s happening now: the operational picture
- Market dynamics: The doxxing and public disputes among stealer vendors show the underground behaving more like a competitive industry — with branding, customer service, updates and reputational attacks shaping behavior. That increases churn and innovation among malicious offerings, and it raises the stakes for defenders who must track multiple forks and service providers .
- Technical evolution: Modern stealers are not simple credential harvesters. They incorporate device fingerprinting, proxy support, and increasingly stealthy exfiltration techniques (including embedding data in innocuous files). Vidar 2.0 represents this class of upgrades, making detection and attribution harder for defenders .
- Victim impact: Regardless of which criminal faction is exposed or fights publicly, the primary victims are individuals and organizations whose credentials are collected and sold. Leaks and market disputes may produce intelligence leads, but they also risk collateral damage if used uncritically by journalists or investigators .
Why it matters: three perspectives
Technologists: The technical arms race favors modular, service-oriented malware. When criminal offerings adopt practices from legitimate software development — rapid patching, feature roadmaps, customer-facing support — defenders must shift from signature-centric detection to telemetry-rich, behavior-based models. The need for strong authentication (hardware-backed MFA like FIDO2), enhanced endpoint telemetry, and content-aware inspection (including steganalysis where image-based exfiltration is suspected) is immediate and practical .
Policymakers and law enforcement: The Lumma doxxing highlights limitations of relying on vigilante disclosures or fragmented takedown strategies. Effective disruption must be cross-border and target the supply chain that enables these markets — hosting, payment processors, CDNs and proxy services — not just the malware authors. Policymakers must balance intelligence value from leaks against the risk of encouraging extrajudicial exposures that create confusion and hinder coordinated response .
Users and enterprises: Basic measures still matter but are no longer sufficient alone. Consumers and small businesses should practice credential hygiene, enable phishing-resistant MFA, and apply least-privilege controls. Enterprises must harden logging and retention to reconstruct events and prioritize detection rules that treat anomalous image creation or other covert exfiltration signals as high-risk activity. Leaks should be treated as investigative leads and corroborated across telemetry and trusted intelligence sources before action is taken .
Adversaries’ calculus: Why criminals invest in upgrades
For criminal vendors, the incentives are clear. A reliable, stealthy stealer commands higher prices and broader distribution. Reputation — whether maintained or tarnished via doxxing — directly affects market share. Rivalry can push vendors to innovate faster, which increases the operational tempo defenders must match. Public exposures can also be weaponized to discredit competitors or to extract information about customer lists and distribution networks, feeding further instability in the market .
Mitigation and practical takeaways
- Assume persistence: Treat Vidar 2.0 and similar tools as part of a persistent threat stream that will be upgraded and repackaged. Trend Micro’s guidance to expect increased prevalence through Q4 2025 should inform threat modelling and resource allocation.
- Harden authentication: Deploy phishing-resistant MFA (hardware tokens, FIDO2) to reduce the value of harvested credentials.
- Enhance telemetry and correlation: Improve endpoint logging, monitor for anomalous browser and image behavior, and correlate signals across identity, network and endpoint sources.
- Coordinate disruption: Work with law enforcement and cross-sector partners to target enabling infrastructure and financial flows that keep these markets functioning.
Conclusion
What began as a feud in the shadows — a doxxing of a stealer vendor and the resurfacing of Vidar as a more dangerous commodity — reads like a cautionary tale about how criminal markets adapt and scale. The immediate victims are customers of the underground and the individuals whose credentials circulate in these networks; the broader risk is a threat landscape that normalizes professional-grade offensive tooling. If criminal markets continue to mirror legitimate industry practices, defenders will have to borrow their own playbook: faster updates, deeper telemetry, and closer cooperation across borders. In a world where malware vendors care about brand and reputation, can defenders move with the same agility and resolve?
Source: https://www.infosecurity-magazine.com/news/lumma-stealer-vacuum-filled-vidar-2/




