The infostealer market is dominated by perhaps a dozen named families at any given time. Each operates as malware-as-a-service: a core development team builds and maintains the binary, sells subscription access to "customers" (the actual operators infecting victims), and takes a share of the proceeds. Customers keep the logs they extract; the developers keep their subscription revenue. The model is durable because it cleanly separates engineering from operational risk.
A field guide to the families that mattered most through late 2025 and into 2026, what they specialise in, and how takedowns have reshaped the landscape.
Lumma Stealer
The current market leader. Lumma (also "LummaC2") emerged in 2022 from a Russian-language developer using the handle "Shamel" and, by mid-2024, had become the single most-prevalent infostealer family by Telegram-channel log volume. Subscription pricing in late 2024 was $250 / month for the "Experienced" tier and $1,000 / month for "Corporate," the latter providing more frequent builds and better evasion.
Distinctive features:
- Aggressive anti-analysis. Lumma actively detects sandboxes, debuggers, and Wireshark captures, terminating itself when found. Researchers must use bare-metal analysis or specialised counter-detection tools.
- Wide credential coverage. Steals from 80+ browser variants, 70+ crypto-wallet extensions, all major password managers, FTP/SSH clients, Telegram and Discord tokens.
- Resilient infrastructure. Multiple C2 backup paths, Cloudflare-based domain rotation, fallback to encrypted Telegram channels for log exfiltration.
Microsoft and law-enforcement partners disrupted parts of Lumma’s infrastructure in May 2024, seizing roughly 2,300 domains. The operation continued with regenerated infrastructure within weeks and has since restored its position as the dominant family.
Detailed Microsoft writeup: microsoft.com/en-us/security/blog/2024/05/29/lumma.
RedLine Stealer
The previous market leader before Lumma. RedLine was first observed in March 2020, sold by an operator using the handle "REDGlade" on Russian-speaking forums. At its 2022-2023 peak it was probably responsible for the majority of all corporate-credential theft in the world, credentials extracted by RedLine show up in nearly every major breach analysis from that era.
Defining moment: Operation Magnus, October 2024. The Dutch National Police, FBI, and partners seized RedLine’s central infrastructure and the associated MetaStealer family, publishing source code, customer lists, and personal information about the developers. Three operators were indicted; one was arrested in Spain. Press release at politie.nl/nieuws/2024/oktober/29/operation-magnus.
Operation Magnus did not eliminate RedLine, multiple cracked or forked variants continue to circulate, but it broke the brand’s market dominance and shifted volume to Lumma and others.
Vidar
Long-running family active since 2018, originally a fork of the older Arkei stealer. Vidar’s defining characteristic is its longevity: it has shipped continuous updates through generational shifts in OS and browser security, and remains a top-five family by volume in 2026.
Notable for: heavy use of legitimate cloud platforms (Telegram channels, GitHub, Steam profile descriptions) for C2 dead-drop and configuration. Researchers track Vidar through these public-platform abuses extensively.
Raccoon Stealer
Russian-speaking origin, active since 2019 with a brief 2022 hiatus when the developer was arrested in the Netherlands. Returned as "Raccoon v2" in mid-2022 with improved Rust-based code and continues to operate.
Subscription model: $200-275 / month, marketed heavily on XSS and Exploit forums. Specialises in MFA-bypass cookies, its credential coverage focuses on session-cookie extraction rather than just saved passwords.
Stealc
A newer entrant, first observed in early 2023. Russian-language origin; modular architecture allowing custom builds per customer. Has gained meaningful market share through 2024 by undercutting RedLine and Lumma on price.
Distinctive: Stealc samples are unusually well-documented internally, suggesting the developers are running a more "professional" operation than typical. Expect this family to grow through 2026.
Atomic (macOS), Cthulhu (macOS), MetaStealer
The macOS infostealer market was negligible until 2023 and is now substantial. Atomic ("AMOS") is the largest family, sold on Telegram for $1,000-3,000 / month. Cthulhu emerged in mid-2024. Both target the same browser/wallet/Keychain credential pool that Windows stealers do, but optimised for Apple’s permission model. Apple’s response, including XProtect signature updates and tightened default permissions in macOS 15, has slowed but not halted the growth.
MetaStealer (separate from RedLine’s MetaStealer brand confusingly) targets macOS specifically and remains active despite Operation Magnus’s impact on the Windows-side MetaStealer.
Specialised and regional variants
A long tail of smaller families serves specific regional or operational niches:
- DCRat / DarkCrystal RAT. Russian-language; both stealer and remote-access tool functionality.
- Aurora Stealer. Go-based; smaller operation.
- Mystic Stealer. Active since 2023.
- Pure Logs / PureRAT family. Newer, gaining attention.
Each has its own customer base and evasion approach. The aggregate effect: at any given moment there are 8-12 actively distributed families with meaningful market share, plus dozens of smaller ones.
What this means for defence
Three things follow from the family structure:
Family-level IOCs help less than they used to. Aggressive evasion, frequent rebuilds, and customer-specific binaries mean signature-based detection of any single family is incomplete. EDR solutions that focus on behavioural patterns, credential access, browser-process injection, mass-file enumeration, work better than ones depending on sample-based signatures.
Telegram channel monitoring is essential. The infostealer economy is largely transparent if you know where to look. Every major family has Telegram channels that announce updates, drop sample logs, and conduct sales. Threat-intel teams that monitor these channels see the threat months before it shows up in commercial feeds.
Takedowns work, but only briefly. Operation Magnus crippled RedLine for months; Lumma’s infrastructure seizure delayed it for weeks. Each disruption shifts market share to the next family in line. Effective long-term defence comes from architectural assumptions, short session lifetimes, hardware-bound device identity, continuous re-authentication, that survive any individual family’s takedown.
The infostealer industry is mature enough that we should treat its families like any other piece of threat infrastructure. Track them, name them, attribute campaigns where possible, and assume the developers are watching the same blog posts you are reading. That is the working reality of credential-theft defence in 2026.