Infostealers Explained: Lumma, RedLine, Vidar in 2026

Quick answer. An infostealer is malware built to silently harvest your saved passwords, browser session cookies, autofill records, payment cards, and cryptocurrency wallet files, then ship the lot to a buyer on the dark web. The dominant family in 2026 is Lumma (LummaC2), followed by StealC and RedLine. The reason infostealers can bypass two-factor authentication is that they steal session cookies, which are tokens that already represent an authenticated session — so the attacker never sees a login screen and never needs your 2FA code. Defence is layered: keep antivirus and Windows up to date, do not run cracked installers or fake browser updates, use a hardware security key for high-value accounts, and revoke active sessions after any suspected exposure. If you think you have been hit, scroll to the recovery playbook below.

Bitdefender researchers spent the back half of January 2026 unpacking a fresh wave of Lumma infections that piggybacked on a loader called CastleLoader. The two pieces of malware shared infrastructure, the campaign ran from December through January, and infection counts climbed back to levels that rivalled what law enforcement had disrupted in May 2025 (Bitdefender Labs). Sources tracking the underground market report that Lumma accounts for roughly half of every stealer log sold on Russian-speaking dark-web forums, with Lumma, StealC, and RedLine together making up the bulk of consumer infections. This article walks through what an infostealer actually does, which families matter in 2026, how they reach your machine, why two-factor authentication often fails to stop them, and what to do if you find one on your system.

What an infostealer actually does

An infostealer is malware built for one job: pull every piece of authentication data off your computer and ship it to a buyer. It is not ransomware. Ransomware encrypts your files and demands payment. An infostealer wants you to never notice it. The longer it sits quietly, the more passwords, session cookies, autofill records, credit card numbers, and cryptocurrency wallet files it can hand over to whoever paid for the log.

Operators sell access either as a subscription — public reporting on the Lumma malware-as-a-service tier places monthly access in roughly the low hundreds of dollars — or by selling individual "logs" (the file containing one victim's harvested data) for a few dollars each. Threat-intelligence write-ups in 2025 and 2026 describe stolen credential data appearing on dark-web marketplaces within days of infection. By the time you notice a mystery purchase on your card or a password-reset email you did not request, your data has often already been resold once or twice.

The 2026 infostealer family lineup

Lumma (LummaC2). The market leader. First seen on Russian forums in 2022, written in C, sold as a service. Microsoft's Digital Crimes Unit identified Russian developer "Shamel" during the May 2025 takedown action. The family was disrupted but not eliminated — fresh samples were flagged by Bitdefender within weeks, and the CastleLoader campaign Bitdefender documented in early 2026 confirmed Lumma is back at scale.

StealC. A 2023 entrant that openly borrowed code from Vidar, Raccoon, RedLine, and Mars. Cheaper than Lumma, easier for low-tier criminals to use, currently a leading alternative by infection volume.

RedLine. A long-running family that took a heavy hit during Operation Magnus in October 2024. Operations are diminished but RedLine logs still circulate on credential markets — its older harvest is still useful to attackers, especially for accounts the victim never rotated.

Vidar. Originating in 2018 from Arkei source code. Vidar 2.0 launched in 2025 with a faster modular plugin architecture; activity rose noticeably as Lumma operators looked for alternatives during the May 2025 disruption.

Raccoon. The original operator was arrested in 2022. Successor Raccoon v2 came back online and remains a steady mid-tier choice on underground markets.

Atomic Stealer (AMOS). The macOS specialist. Distributed as a malicious .dmg, often labelled as a cracked app or trader tool. Microsoft issued a Mac-specific warning in February 2026 naming AMOS for active campaigns since late 2025. It targets iCloud Keychain entries, browser data from Chrome and Firefox, MetaMask extension data, and developer credentials like SSH keys and API tokens.

How infostealers reach your computer in 2026

The 2026 distribution playbook is built around social engineering, not exploits. The current top vectors:

Fake CAPTCHA (ClickFix). A web page asks you to "verify you're human" by pressing Win+R, pasting a string from the clipboard, and hitting Enter. The pasted text is a PowerShell command that downloads the loader. This is the technique driving the CastleLoader → Lumma chain Bitdefender wrote up in early 2026.

Pirated games and cracked software. Search "[expensive app] crack" and the top SEO-poisoned result hosts a trojanised installer. This vector has powered Lumma, RedLine, and StealC distribution for years and shows no sign of cooling.

Fake browser or video-codec updates. A page you visit claims your Chrome is out of date and pushes an installer. The installer is real malware, signed with a stolen or short-lived certificate.

YouTube tutorial comments. A "how to get free [software]" video links to a password-protected archive in the description or pinned comment. The password is often included to defeat antivirus scanning of the archive contents.

Pirated game launchers and trainers. Particularly aggressive in 2026 for Atomic Stealer on macOS, where pirated Mac apps are scarcer and victims are less suspicious.

CastleLoader sits in the middle of these chains. It is small, runs in memory, and uses obfuscation plus flexible command-and-control to pull down whichever stealer the operator wants — most often Lumma in the recent campaigns.

Why infostealers can bypass MFA — the session-cookie attack

Most consumer guides say "infostealers bypass two-factor authentication" and leave it there. Here is the mechanism in plain terms.

When you log in to Gmail, Microsoft 365, or your bank, the server gives your browser a small file called a session cookie. That cookie tells the server "this person already proved they are who they claim — keep them signed in for the next few days." MFA happened once, at login. After that, the cookie carries the proof.

An infostealer copies that cookie. The attacker loads it into their own browser session. The server sees a valid, recently issued cookie and serves the account. No password prompt. No SMS code. No authenticator app challenge. MFA does not fail — it is never asked.

The most valuable targets are session cookies for Microsoft 365, Google Workspace, Okta, AWS, GitHub, Slack, and major exchanges like Coinbase and Binance. For a corporate target, one stolen Okta cookie can hand over an entire identity provider session. For a consumer, one stolen Coinbase cookie can drain a wallet faster than you can read this paragraph.

Cookies eventually expire. Some platforms invalidate them on a password reset; others do not. Until you explicitly revoke active sessions, a stolen cookie is a working key.

How to tell if you have been hit by an infostealer

Symptoms are subtle. Watch for:

Sudden password-reset emails for accounts you did not touch.
"New sign-in from [unfamiliar location]" alerts from Google, Microsoft, or your bank.
Outbound charges on cards, mystery subscription signups, or PayPal activity you did not initiate.
A crypto wallet showing zero balance after a single fast outbound transaction.
Chrome or Edge running slow and showing unfamiliar extensions.
Friends receiving Discord, Telegram, or Steam DMs from you that you did not send.
An unexpected mshta.exe, powershell.exe, or wscript.exe process in Task Manager soon after running a download.

Any one of these is reason to scan. Two or more is reason to assume infection and start the recovery playbook below.

What to do if you have been infected — the recovery playbook

Order matters. Do these steps in this sequence.

Disconnect from the network. Unplug Ethernet, turn off Wi-Fi. This stops the stealer from finishing exfiltration if it has not already.
Run a full offline scan with a reputable engine. Major paid suites publish strong recent results For a ranked, side-by-side breakdown, see our Best Antivirus Against Infostealers in 2026 hub. in independent lab cycles (AV-TEST February 2026 home-Windows; AV-Comparatives February–March 2026 Real-World Protection). If your installed product missed the threat, use a second engine for a fresh opinion — see our note on running two antivirus tools. For step-by-step Windows cleanup, follow our guide to removing malware from Windows 11.
From a clean device, rotate passwords in priority order. Email first — it is the recovery channel for everything else. Then banking and payment, then cloud storage, then password manager master password (if used), then social and gaming. Use unique, long, randomly generated passwords.
Revoke all active sessions, not just change passwords. In Google: Security → Your devices → sign out everywhere. In Microsoft: Security → Sign-in activity → sign out. In every account that offers it, click the "log out all other sessions" option. A new password without session revocation leaves the stolen cookie alive.
Switch high-value accounts to a hardware security key. YubiKey or Google Titan. A FIDO2/WebAuthn key cannot be phished or replayed by cookie theft because the cryptographic challenge is bound to the actual domain and the physical key.
For crypto: assume the wallet is compromised. Create a fresh wallet with a new seed phrase on a clean device, transfer assets out fast, and treat the old wallet as poisoned permanently. Never re-enter the original seed phrase anywhere.
Check Have I Been Pwned. It indexes credential-breach corpora that include stealer-log dumps. If your email appears in a recent paste, take it as confirmation and finish the playbook.
Reformat if you can. A full Windows reset or macOS reinstall removes persistence mechanisms a scanner may miss. For an actively exploited machine this is the cleanest finish.

Which antivirus actually catches infostealers?

No antivirus catches 100% of stealer samples. AV-TEST and AV-Comparatives 2026 cycles show the major paid suites — Bitdefender, Kaspersky, ESET, Norton, McAfee — scoring in the high-90s on consumer protection metrics, with current infostealer families included in the broader malware corpora those labs run (AV-TEST, AV-Comparatives). Detection is necessary but not sufficient — the layered habits below matter more than the brand on your license.

Bitdefender ships Safepay (an isolated browser for banking and exchanges that aims to block keyloggers and screen scrapers) and Anti-Tracker (kills cross-site trackers that ClickFix-style lures often ride on). The Advanced Threat Defense module is designed to flag the kind of PowerShell behaviour typical of loader stages like CastleLoader.

Kaspersky pairs its Password Manager with an anti-phishing module that aims to intercept fake-CAPTCHA and fake-update URLs at the network stage, before any payload reaches disk. The Safe Money component does for exchange logins what Safepay does on Bitdefender.

ESET Smart Security includes Banking & Payment Protection plus a Browser Protection layer focused on browser-process behaviours that match credential theft (cookie-store access, password-store reads). ESET's small footprint also makes it the lightweight pick for older hardware.

Norton and Malwarebytes both detect current stealer families in independent lab cycles, and Malwarebytes in particular is widely used as a second-opinion scanner after an active infection.

If you want the broader category context, see our best malware removal and best internet security hubs. The honest framing: no single product replaces a hardware security key, password rotation discipline, and not running pirated installers.

Frequently Asked Questions

Is an infostealer the same as a virus?

Technically yes — both are malicious software — but practically no. A traditional virus tries to spread and damage. An infostealer wants to stay silent and harvest data for resale. You usually feel a virus. You rarely feel a stealer.

Will Windows Defender catch Lumma?

Modern Microsoft Defender catches a large share of current samples thanks to cloud-delivered protection, and it scored 6/6 on protection in the AV-TEST February 2026 cycle. Stealer operators iterate quickly, though, so Defender alone is reasonable baseline coverage; a paid suite with browser-isolated banking and behavioural PowerShell detection raises the floor further.

Can a Mac get an infostealer?

Yes. Atomic Stealer (AMOS) is an active macOS family distributed mostly through cracked DMGs. Microsoft issued a specific warning in February 2026 about ongoing AMOS activity targeting Mac users with crypto wallets and developer credentials.

Does a VPN protect me from infostealers?

No. A VPN hides where your traffic comes from. It does not stop you from running an infected installer or pasting a malicious PowerShell command from a fake CAPTCHA. Useful for privacy; not anti-malware.

If I have MFA on every account, am I safe from cookie theft?

Only partially. App-based MFA codes do not stop session-cookie reuse. A hardware security key (YubiKey, Titan) raises the bar significantly because the cryptographic handshake is tied to the real domain. Pair the key with periodic "sign out everywhere" hygiene.

How do I know if my data is on a stealer-log market?

Check Have I Been Pwned for your email. HIBP indexes stealer-log dumps and credential pastes as part of its corpus. A hit there alongside any of the symptoms in this article should push you straight into the recovery playbook.