Infostealer Malware in 2026: How Lumma, Vidar, and RedLine Drain Your Saved Browser Passwords (Defense Guide)

By Fanny Engriana · May 28, 2026 · 11 min read · 5 views

Disclaimer: This article is for educational and defensive cybersecurity purposes only. It describes how credential-stealing malware operates so readers can recognize, prevent, and recover from infections. Nothing here endorses unauthorized access to systems, accounts, or data. If you believe your credentials were stolen, follow the recovery steps in the final section and report the incident to your bank, employer, and local cybercrime unit.

In early 2026, IBM X-Force reported that Lumma Stealer, RedLine, and Vidar together account for roughly 90% of all observed infostealer infections. In January, researchers indexed a single combo-list dump containing 149 million unique credential pairs, including 48 million Gmail and 6.5 million Instagram logins, almost entirely sourced from infostealer logs. By April, the REMUS malware-as-a-service had added direct support for 1Password and LastPass vault extraction. The threat is no longer fringe — it is now the dominant route to account takeover, ransomware staging, and corporate breaches.

When I set up internal access controls for CyberShieldTips and the six other sites I run, I spent a full weekend rotating every saved browser credential across our team after a junior developer's machine showed signs of a Vidar infection traced to a cracked Photoshop installer. Nothing exfiltrated reached our production systems because we caught it in time — but the experience reshaped how I treat browser-saved passwords across our 50+ client projects at wardigi.com. This guide is the playbook I wish I had read before that weekend.

What an Infostealer Actually Does on Your Machine

An infostealer is a small, single-purpose piece of malware. It does not encrypt your files like ransomware. It does not open a remote desktop session like a RAT. Instead, it lands on your machine, runs once for 30 to 90 seconds, harvests a structured archive of credentials and tokens, sends that archive to a command-and-control server, then often deletes itself. You may never notice anything.

According to a March 2026 report from Recorded Future, the average infostealer harvests the following from a single Windows or macOS endpoint:

Saved browser passwords — Chrome, Edge, Brave, Firefox, Opera, and Vivaldi all use predictable local credential stores. Modern stealers parse them in seconds.
Session cookies — the most valuable asset. A stolen Gmail session cookie lets an attacker bypass your password, your hardware key, and your authenticator app. Cloudflare reported that 1,861 cookies are exfiltrated per average infection.
Autofill data — names, addresses, credit card numbers, security questions.
Cryptocurrency wallet files — MetaMask, Phantom, Exodus, and 40+ wallet extensions are explicitly targeted.
Password manager databases — REMUS, Lumma v4, and the May 2026 Vidar variant all extract 1Password, Bitwarden, LastPass, and KeePass vaults if the master password was recently typed.
Discord, Telegram, and Steam tokens — for follow-on social engineering.
Cloud CLI credentials — AWS access keys in ~/.aws/credentials, GCP application-default credentials, Azure refresh tokens.
SSH keys — private keys in ~/.ssh/, often without passphrases.
System fingerprint — hostname, IP, OS version, installed software, screenshot of your desktop.

The resulting bundle is called a stealer log. A typical log is a 2 to 8 MB ZIP file named after your IP address, your hostname, and the date of infection.

The Big Three: Lumma, Vidar, and RedLine

Lumma surfaced in late 2022 and now leads the infostealer market by a wide margin. It is sold on Russian-language forums for $250 to $1,000 per month under a subscription model. Lumma's signature feature is its session-cookie hijacking: it specifically targets long-lived authentication cookies for Microsoft 365, Google Workspace, Discord, and crypto exchanges. Attackers use the stolen cookies to bypass MFA entirely by replaying the session in their own browser.

In May 2025, Microsoft and the U.S. Department of Justice seized 2,300 Lumma C2 domains. The disruption knocked the malware offline for about three weeks. By July 2025, Lumma was back at full operational capacity using a new domain-generation algorithm. That recovery is why I no longer treat malware takedowns as durable wins — the operators always rebuild.

RedLine has been active since March 2020 and remains the second-most-deployed infostealer. It is cheaper than Lumma (around $150 per month) and is the default choice for low-skill operators distributing it via cracked-software bundles, YouTube "free Photoshop" tutorial descriptions, and fake browser-update pop-ups. RedLine specializes in banking credential and cryptocurrency wallet theft. In November 2024, Operation Magnus by Dutch and U.S. law enforcement seized parts of RedLine's infrastructure, but a 2026 fork called RedLine NextGen now dominates the cracked-software distribution channel.

Vidar is the oldest of the three (active since 2018) and the most customizable. It is the favorite of advanced persistent threat groups that need to fine-tune which file types and which directories get exfiltrated. Vidar uses legitimate platforms — Telegram, Steam profiles, and Mastodon bios — to host its C2 configuration, which makes network-based detection difficult. A May 2026 variant analyzed by SC Media adds AppleScript-based execution on macOS, marking the first time Vidar has had a credible Mac payload.

How These Things Actually Get Onto Your Machine

Across the infections I have personally cleaned up for clients in the last 18 months, the delivery vector breakdown was roughly:

Cracked or "free" software (about 60%) — Adobe Creative Cloud cracks, AutoCAD activators, KMS Windows activators, pirated games. The promised software often does work, which is what makes it convincing.
Fake browser updates (about 15%) — a compromised website displays a full-page "Your Chrome is out of date" overlay. The downloaded "update" is a signed installer carrying Lumma or RedLine.
Malicious npm and PyPI packages (about 10%) — the May 2026 Hacker News report on four malicious npm packages siphoning SSH keys is a perfect example. Developers are now a prime target.
SEO-poisoned search results (about 8%) — searches for niche utilities ("notepad++ portable download", "winrar key 2026") increasingly return attacker-controlled sites at the top of Google.
Phishing attachments and Discord/Telegram DMs (about 5%) — fake job offers, fake brand-partnership pitches sent to YouTubers and streamers.
Drive-by exploits (under 2%) — rare, since most browsers are patched quickly.

The pattern that hit our team came from category one: a cracked installer that was clean for 4 days while the developer used it, then activated its payload during a scheduled task. By the time we noticed unusual outbound traffic, the stealer log was already on a Telegram channel.

What Happens to a Stealer Log After Exfiltration

A March 2026 study by Hudson Rock tracked the lifecycle of stealer logs in the wild. The median time from infection to first sale on a dark-web marketplace was under 48 hours. After that, the log typically follows this path:

Hour 0–48: Sold on private Telegram channels to "first-buyers" for $5 to $50 per log, depending on country of origin and detected enterprise credentials.
Day 2–7: Resold on Russian Market, 2easy Shop, or Genesis Market clones for $1 to $10 per log.
Day 7–30: Aggregated into combo lists, deduplicated, and fed into credential-stuffing bots that hit major sites at scale.
Day 30+: Posted publicly on BreachForums and Telegram dump channels as "freebies" for clout.

Flare Research estimated in February 2026 that 1 in 5 infostealer infections yields at least one valid enterprise credential. That ratio is the reason ransomware operators now buy stealer logs in bulk as their primary initial-access vector. The 2024 Snowflake-customer breaches that hit Ticketmaster, AT&T, and Santander were all traced to credentials sold from stealer logs.

The Defense Playbook: 10 Steps I Actually Run

This is the exact checklist I work through for new client onboarding at Warung Digital Teknologi, adapted for individuals.

1. Stop saving passwords in your browser. Today.

Chrome, Edge, and Firefox encrypt saved passwords with a key derived from your Windows or macOS login. That is not protection against an infostealer running as your user. Move every credential out of the browser store into a dedicated password manager that requires a separate master password on every unlock. I use Bitwarden for our team because the self-hostable Vaultwarden gives us audit control.

2. Turn on hardware-key MFA, not SMS.

A YubiKey 5C or a Titan key (about $50) is the single most effective control against infostealer-fueled account takeover. Hardware keys are phishing-resistant by design — the cryptographic challenge is bound to the origin domain. A stolen cookie is still a threat, but the attacker cannot reauthenticate or change settings without the physical key. CISA's Secure Our World guidance ranks hardware MFA as the top recommendation.

3. Set browser sessions to expire daily.

Long-lived session cookies are the prize. Configure Gmail, Microsoft 365, GitHub, and your bank to require reauthentication every 24 hours, or at minimum after every browser restart. The friction is real. The blast-radius reduction is worth it.

4. Treat any cracked software as confirmed malware.

There is no "safe" cracked Adobe, no "clean" KMS activator. Across 11+ years of IT consulting, I have not seen a single cracked installer that was malware-free over a 12-month window. If a client cannot afford licensed software, I steer them to free alternatives: GIMP for Photoshop, OnlyOffice for Microsoft Office, DaVinci Resolve for Premiere. Free is cheaper than a credential rotation.

5. Never click a browser-update pop-up.

Real browser updates come from the browser itself, not from a webpage. If you see a page telling you Chrome is out of date, close the tab. Then check chrome://settings/help directly.

6. Use a separate browser profile (or Firefox container) for sensitive accounts.

I keep banking and admin accounts in a dedicated Firefox profile with no extensions, no saved passwords, and a strict cookie-isolation policy. If my main profile is ever compromised, the banking session is in a different process with a different cookie store.

7. Audit your installed browser extensions monthly.

The October 2025 GlassWorm campaign weaponized 12 popular VS Code extensions and 8 Chrome extensions to deliver Lumma. Uninstall any extension you have not used in 30 days. Read the changelog before any extension auto-update.

8. Run reputable endpoint protection that detects stealer behavior, not just signatures.

Modern infostealers are obfuscated and polymorphic — signature-based AV misses them. I run Microsoft Defender for Endpoint with attack-surface-reduction rules enabled on our team Windows machines, and Malwarebytes on the macOS side. For individuals on a budget, the free tier of Bitdefender plus the built-in Windows Defender SmartScreen is a reasonable floor.

9. Lock down developer credential files.

For developers specifically: encrypt your ~/.aws/credentials using aws-vault, encrypt your SSH private keys with a passphrase, and never commit secrets to a repo even briefly. I rotate every GitHub personal access token on a 90-day schedule across our 50+ active repos. Use short-lived OIDC tokens for CI where possible.

Free services like Have I Been Pwned are useful but they only ingest published breach lists, not private stealer logs. For enterprise coverage, Hudson Rock, SpyCloud, and Flare offer continuous stealer-log monitoring with alerting on your domain. For personal use, Mozilla Monitor and Google's Dark Web Report (free with a Google account) now include some stealer-log coverage as of late 2025.

How to Detect You Are Already Infected

Stealer infections are quiet by design, but there are signals:

A short burst of unexplained outbound traffic right after you open a specific application.
Browser logged out of multiple sites at the same time — the attacker often invalidates your session after replaying it.
New OAuth applications connected to your Google or Microsoft account that you do not recognize.
Email forwarding rules in Gmail or Outlook that you did not create. This is a classic post-infostealer step to monitor for password-reset emails.
Login alerts from countries you have not visited (though attackers increasingly proxy through residential IPs in your own country).
Cryptocurrency wallet drained suddenly with no transaction you authorized.

To check more rigorously: run a Malwarebytes scan, then check your email and IP against Have I Been Pwned's stealer-log search. If you appear, treat every credential you have ever saved in a browser as compromised.

If You Confirm an Infection: The First 24 Hours

Order matters here. Do these steps in sequence, not in parallel.

From a different, clean device (not the infected one), change your email password first. Email is the recovery channel for everything else.
Sign out of all sessions everywhere in Google, Microsoft, Apple, Facebook, GitHub, your bank, and your password manager. Each provider has a "Sign out of all devices" option.
Revoke all OAuth tokens and application-specific passwords.
Change your password manager master password. Then rotate every credential the manager stored, prioritizing financial accounts.
Rotate every API key, SSH key, and access token you can think of.
Notify your bank to flag the account for fraud monitoring.
Wipe and reinstall the infected machine from a known-clean OS image. Do not try to "clean" it. Stealers often install persistence backdoors that AV will not catch.
File a report. In the U.S., file with IC3. In Indonesia, report to Bareskrim Polri's Patroli Siber. In the EU, report to your national CERT.

The CISA incident response checklist is the most rigorous public-sector playbook I have seen and is freely available.

FAQ

Q: Will a VPN protect me from infostealers?
No. A VPN encrypts your network traffic, but the malware is already running on your machine with your user permissions. It will exfiltrate through the VPN tunnel just fine. VPNs are useful for other reasons; this is not one of them.

Q: I use a password manager. Am I safe?
Safer, not safe. Password managers protect against credential reuse and weak passwords. They do not protect against an infostealer that captures your master password as you type it, or that extracts the vault file from disk while it is decrypted in memory. The 2026 REMUS variant explicitly targets 1Password and LastPass. Keep the vault locked when not in use, set short auto-lock timers, and use hardware-key second factor for the manager itself.

Q: Are Macs safe?
Less targeted, but no longer immune. SHub Reaper (May 2026) and the Vidar macOS variant both deliver fully working credential theft on macOS Sonoma and Sequoia. Apple's Gatekeeper and XProtect catch the most common variants but lag behind Windows for novel families.

Q: My antivirus says I am clean. Does that confirm I have no infostealer?
No. Detection rates for novel Lumma, RedLine, and Vidar variants are below 50% in the first week after release per VirusTotal testing. Behavior is the better signal. If you have ever installed cracked software, assume infection until you have wiped the machine.

Q: What about Linux?
Less common but rising. The May 2026 malicious npm packages specifically targeted Linux developer machines for SSH keys and cloud credentials. If you run Linux for development, the rules above still apply.

The Bottom Line

Infostealers won the cybercrime market because they are cheap, deniable, and effective. Defending against them is not glamorous — it is the same hygiene work that protected against the last decade of threats, just executed more strictly. Stop saving passwords in your browser. Use hardware MFA. Never run cracked software. Treat every stored credential as one disk read away from the dark web.

The good news: I have onboarded three clients in 2026 who switched from browser-stored passwords to Bitwarden plus YubiKey, and none have had a credential incident since. The hygiene works. It is just unglamorous.

Sources and further reading: CISA Secure Our World, NIST Cybersecurity Framework, FBI IC3 Reporting, Have I Been Pwned, BleepingComputer (May 2026), Infosecurity Magazine (2026).

Final disclaimer: This article is general defensive cybersecurity guidance, not a substitute for incident-response support from a qualified security professional. If your business or employer has been compromised, engage a forensic incident-response firm before taking remediation steps that may destroy evidence.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Mini Shai-Hulud npm and PyPI Worm: How TeamPCP Hijacked TanStack, AntV, and OIDC Trusted Publishing in May 2026 (Developer Defense Guide)

May 29, 2026 9 min read

NGINX Rift (CVE-2026-42945): The 18-Year-Old Rewrite Module Bug That Lets One HTTP Request Own Your Web Server (2026 Patch Guide)

May 27, 2026 9 min read

Subdomain Takeover Attacks 2026: How Forgotten DNS Records Become Phishing Domains (And How to Audit Yours)

May 26, 2026 8 min read