The infostealer market has consolidated around a small number of dominant families. The Operation Magnus takedowns in late 2024 disrupted RedLine and Meta significantly, but the demand for stealer logs didn’t go anywhere, it shifted to whichever families were ready to absorb the volume. Here’s the 2026 comparative picture across the three families that matter most.
Lumma, the post-takedown leader
Lumma (also known as LummaC2) emerged in 2022 and steadily grew its operator base, but the 2024-2025 RedLine disruption is what put it at the top of the leaderboard. Lumma’s distribution model is the standard malware-as-a-service: $250-$1,000 per month for builder access, with tiered features including DLL-loading, additional plugin support, and victim-data filtering tools.
What it steals: passwords from major browsers, browser cookies (essential for session-takeover attacks), cryptocurrency wallets, password manager databases, Discord and Telegram tokens, FTP credentials, autofill data. The combination is exhaustive enough to enable downstream account takeovers across most of a victim’s digital life.
Distribution remains opportunistic, fake software cracks, compromised installers, malicious search-engine ads, malvertising on YouTube. Telegram-distributed phishing pages with “verify you’re human” CAPTCHA tricks that paste PowerShell into the user’s clipboard remain a major channel.
RedLine, diminished but not gone
The October 2024 Operation Magnus takedown disrupted RedLine’s command-and-control infrastructure and indicted alleged operators. RedLine’s market share dropped sharply in late 2024 and early 2025. By mid-2026, residual RedLine activity has stabilised at roughly half its pre-takedown volume, with operators having migrated to alternate infrastructure and rebranded variants.
The takedown demonstrated something important about the stealer market: it can be disrupted, the disruption is meaningful, but the demand simply migrates. Operators who used RedLine moved to Lumma or Stealc within weeks. The total volume of fresh stealer logs hitting the market in mid-2026 is roughly comparable to pre-takedown levels.
Vidar, the survivor
Vidar has been around since 2018, weathering multiple disruption attempts and adapting through the years. It’s not the largest family by volume in 2026 but it has the most consistent multi-year track record. The codebase has spawned several derivatives (Mars Stealer, Eternity, Stealc) that share lineage and continue to be actively maintained.
Vidar’s distinguishing trait is operational maturity. The operators have been doing this for years; the malware has weathered multiple Windows defender updates; the infrastructure is rotated regularly. For affiliates who prioritise stability over cutting-edge features, Vidar remains a default.
Market share, best-effort estimates
Public estimates vary, but a reasonable consensus from multiple research feeds: Lumma sits at roughly 40-50% of fresh stealer-log volume in 2026, Stealc and successors at 15-20%, Vidar and family at 10-15%, RedLine and remnants at 5-10%, with the long tail of smaller families covering the remainder. The numbers are approximate; the relative ordering is consistent across most observers.
Defender implications
Family-specific signatures matter less than detection of the behaviours these families share: clipboard hijacking attempts, browser cookie file access by non-browser processes, large outbound POSTs to recently-registered domains, and the distinctive “verify you’re human” PowerShell-paste pattern in user help-desk tickets.
The single highest-impact defensive control across all stealer families remains user-side education: don’t paste anything into PowerShell that you didn’t write yourself, don’t run “verification” scripts from any website, and treat free pirated software as the malware-distribution channel that it actually is. Technical controls help. The behaviour change closes the gap.