2026-03-20 | Cybersecurity Threat Landscape | Oracle-42 Intelligence Research
```html
The Evolution of InfoStealer Malware: A Comparative Analysis of Lumma, Vidar, and RedLine
By Oracle-42 Intelligence – Cybersecurity Research Division
Executive Summary: InfoStealer malware has rapidly evolved into a sophisticated toolkit for cybercriminals, enabling large-scale credential harvesting, financial data theft, and system compromise. Among the most prevalent families—Lumma, Vidar, and RedLine—each exhibits unique operational tactics, evasion techniques, and distribution vectors. This analysis examines their evolutionary trajectories, technical capabilities, and threat actor preferences, supported by recent intelligence on DNS TXT record abuse as a novel delivery mechanism. Understanding these distinctions is critical for enterprise defenders seeking to disrupt emerging InfoStealer campaigns.
Key Findings
DNS TXT Records as C2 Infrastructure: Malware operators increasingly abuse DNS TXT records to store encrypted payloads or configuration data, bypassing traditional network defenses.
InfoStealer-as-a-Service: All three malware families are commercially available on underground forums, with Lumma and RedLine leading in feature-rich, modular designs.
Evasion Sophistication: Vidar employs polymorphic code and anti-sandboxing, while Lumma leverages process injection and API unhooking; RedLine focuses on anti-debugging and encrypted communications.
Targeting Trends: Lumma and RedLine heavily target cryptocurrency wallets and browser extensions; Vidar prioritizes gaming credentials and personal data.
Delivery Vectors: While phishing remains dominant, many recent Vidar campaigns use pirated software and fake updates hosted on compromised domains.
Background: The Rise of InfoStealers
InfoStealer malware represents a class of malicious software designed to exfiltrate sensitive data from infected systems. Unlike ransomware, which demands payment for data recovery, InfoStealers operate stealthily, monetizing stolen credentials, session tokens, and financial details on dark web markets. The commoditization of malware—facilitated by the rise of malware-as-a-service (MaaS)—has democratized access to high-grade InfoStealers, lowering the barrier for entry among cybercriminals.
Recent intelligence reveals that DNS TXT records—typically used for domain verification or SPF configuration—are now being repurposed as covert command-and-control (C2) channels. Malware operators embed encrypted payloads or configuration strings within TXT records, allowing infected hosts to retrieve instructions without establishing direct HTTP connections. This technique evades network monitoring tools that focus on HTTP/S traffic and DNS A/CNAME queries, making it a stealthy delivery vector for subsequent payloads, including InfoStealers.
Lumma: The Modular Operator
Lumma (also known as "LummaC2") is a relatively new but rapidly evolving InfoStealer first observed in mid-2023. It is marketed as a premium MaaS offering on Russian-speaking cybercrime forums, with pricing tiers based on feature access and update frequency.
Key Capabilities:
Multi-browser support: Steals credentials from Chrome, Firefox, Edge, Brave, and Opera, including profiles and session cookies.
Cryptocurrency wallet targeting: Extracts wallet.dat files, private keys, and seed phrases from over 20 wallet applications.
Discord and Steam hijacking: Targets gaming platforms and communication apps to harvest session tokens and user data.
Keylogging and clipboard monitoring: Captures keystrokes and clipboard content to capture 2FA codes and cryptocurrency addresses.
Process hollowing and DLL injection via NtCreateThreadEx.
Direct kernel object manipulation (DKOM) to hide processes.
Encrypted communication with C2 using ChaCha20-Poly1305.
Use of DNS-over-HTTPS (DoH) to evade DNS-based detection.
Distribution: Primarily delivered via phishing emails with ZIP or ISO attachments, malicious ads (malvertising), and cracked software repositories.
Vidar: The Veteran with Polymorphic Edge
Vidar is a mature InfoStealer first identified in 2018, with roots in the older Arkei stealer family. It has undergone multiple rebrands and code overhauls, reflecting its adaptation to modern security controls.
Key Capabilities:
Comprehensive data harvesting: Extracts browser data, VPN configurations, Wi-Fi passwords, and screenshots.
Gaming-focused theft: Targets Steam, Epic Games, Origin, and gaming forums, capitalizing on the secondary market for in-game items.
File grabber: Collects specific file types (e.g., .docx, .pdf, .jpg) from user directories and desktop.
Stealer logs aggregation: Bundles stolen data into encrypted archives before exfiltration to avoid partial detection.
Evasion Techniques:
Polymorphic engine: Mutates code on each compilation to evade signature-based detection.
Anti-VM and sandbox detection: Uses timing attacks, registry checks, and hardware fingerprinting.
Process masquerading: Renames executable to resemble legitimate system tools (e.g., svchost.exe).
DNS TXT record abuse: Recent campaigns have used TXT records to store C2 IP addresses or configuration hashes.
Distribution: Commonly spread via torrent sites, fake game cracks, and cracked software installers. Recent campaigns also exploit vulnerabilities in outdated media players and document parsers.
RedLine: The Cloud-Native Threat
RedLine is a highly active InfoStealer, frequently updated and widely used in cybercrime. It is distinguished by its use of cloud-based C2 infrastructure and advanced obfuscation.
Key Capabilities:
Browser and extension theft: Targets not only credential storage but also browser extensions (e.g., MetaMask, Phantom Wallet).
System reconnaissance: Collects hardware IDs, OS version, installed software, and network configuration.
Credit card skimming: Injects JavaScript into web forms to capture payment data in real time.
Telegram and Steam session hijacking: Extracts auth tokens for instant messaging and gaming platforms.
Evasion Techniques:
Obfuscation via JScript and PowerShell: Uses living-off-the-land binaries (LOLBins) to evade endpoint detection.
Anti-debugging and anti-tampering: Detects debuggers, virtual machines, and analysis tools.
Encrypted payload delivery via DNS TXT: Operators host encrypted payloads or configuration blobs in DNS TXT records, retrieved via DNS queries.
Modular architecture: Operators can push additional tools like loaders or miners post-infection.
Distribution: Primarily through phishing campaigns mimicking software updates (e.g., Adobe Flash Player, Java), fake CAPTCHA pages, and SEO-poisoned search results.