Lumma now leads the infostealer ecosystem in 2026, after Operation Magnus took out RedLine and META in late 2024. RedLine’s legacy footprint still surfaces in older logs, Vidar remains stubbornly durable, StealC has gained share, Atomic dominates the macOS side, and ACR Stealer and Meduza are the rising Russian-language contenders. The top six families together produce the overwhelming majority of all stealer logs traded in 2026. Here is who is in your stealer log and why each one matters.
Ransomnews Research Team. Window: post-Operation Magnus through May 2026.
What is an infostealer?
An infostealer is a class of commodity malware whose only job is to harvest credentials, cookies, autofill data, and system metadata from an infected device, then exfiltrate that data to an operator-controlled server. Infostealers are typically sold as malware-as-a-service: a monthly subscription buys the customer a builder, an admin panel, and operator-side support. The customer (the operator) handles distribution and resale of the resulting logs.
For a deeper background on what infostealers produce, our stealer-logs explainer covers contents, distribution, and the buyer side of the ecosystem. This piece focuses on the operators behind the most prolific families in 2026.
Which infostealer families lead in 2026?
Six families account for most of the stealer-log volume traded in 2026. In rough order of presence in fresh logs:
- Lumma Stealer (LummaC2), the post-RedLine leader.
- StealC, the cheap-and-fast newer entrant that surged in 2024 and 2025.
- RedLine Stealer, the long-tail legacy that still shows up in older or republished logs.
- Vidar Stealer, the durable middle-tier family that has been continuously active since 2018.
- Atomic Stealer (AMOS), the dominant macOS family.
- ACR Stealer and Meduza Stealer, the rising Russian-language contenders.
Lumma Stealer: the post-RedLine flagship
Lumma (also called LummaC2) is currently the most-distributed Windows infostealer in 2026. It first appeared on Russian-language forums in 2022, gained share steadily through 2023 and 2024, and inherited a large share of the void created when Operation Magnus took down RedLine and META in October 2024.
Lumma’s distinguishing technical traits include heavy obfuscation, frequent panel updates, and aggressive use of ClickFix social-engineering campaigns: fake captcha and fake “browser update” pages that instruct the user to paste a command into the Windows Run dialog. The command pulls and executes Lumma. The technique scales because it does not require any malicious download in the traditional sense, just a copy-paste action by the victim.
Lumma’s logs are well-structured, screenshot-inclusive, and command premium prices in private channels. It is the family most often cited in 2025 and 2026 ransomware post-incident reports as the initial-access vector.
RedLine Stealer: the long-tail legacy
RedLine was the dominant infostealer from 2020 through 2024. At its peak it accounted for the majority of all stealer-log traffic on commodity marketplaces. Operation Magnus, a joint Dutch, US, and Belgian law-enforcement operation in October 2024, seized the RedLine infrastructure, indicted the lead developer, and effectively ended new RedLine distribution.
Despite the takedown, RedLine logs continue to appear in 2026 marketplaces for two reasons. First, the existing corpus of pre-takedown logs is enormous and gets repackaged and resold continuously. Second, older RedLine builds and cracked panels still circulate, producing low-volume but ongoing new logs. The credentials inside old RedLine logs are still valid wherever users have not rotated them.
Vidar Stealer: durable middle-tier
Vidar has been continuously active since 2018, which makes it one of the longest-running infostealer families currently on the market. It is technically capable, frequently updated, and distributed primarily through malvertising, cracked software, and YouTube description-link campaigns. Vidar’s authors maintain a paying customer base and have not been disrupted by law enforcement to date.
Vidar’s logs are reliable and complete, with broad browser and wallet coverage. It does not innovate aggressively the way Lumma does, but it does not need to: the steady-state demand for a working stealer keeps Vidar in the top tier.
StealC: cheap and fast
StealC first appeared in early 2023 and rapidly scaled through 2024 and 2025. Its market position is the budget tier: low monthly subscription cost, decent feature coverage, and a low barrier to entry for new operators. This made StealC popular with smaller and less-experienced affiliates and with operators who run high-volume low-margin campaigns.
StealC is heavily distributed through cracked software bundles, fake software-update pages, and YouTube description-link campaigns. It is the family most often seen in the cheapest cloud-log Telegram channels.
Atomic Stealer (AMOS): the macOS leader
Atomic Stealer, marketed as AMOS, is the dominant infostealer targeting macOS. It first surfaced in 2023 and has since become the reference family for macOS credential and cryptocurrency theft. Distribution is primarily through cracked macOS apps and malvertising for popular Mac software (Sketch, Photoshop, video tools).
AMOS’s distinguishing trait is its focus on cryptocurrency wallets. Mac users skew toward higher-value crypto holdings, and AMOS is built to grab wallet files from at least two dozen wallet apps and browser extensions. Keychain extraction is also robust.
ACR Stealer and Meduza: the rising contenders
ACR Stealer and Meduza Stealer are the two rising Russian-language families to watch. Both target Windows, both produce well-structured logs, and both have been gaining traction in private marketplaces through late 2025 and into 2026.
Meduza in particular has invested heavily in evading endpoint detection. Its builds use creative packing and runtime techniques that have driven detection-rate hassles for several major endpoint products through 2025. ACR Stealer is the simpler workhorse, popular with operators who want a no-frills, dependable family. Neither has reached Lumma-scale distribution, but both are positioned to fill any gaps the next law-enforcement action creates.
How do infostealers actually steal credentials?
The mechanics are simpler than the marketing implies. All major Chromium-based browsers (Chrome, Edge, Brave, Opera, and others) store saved passwords in an SQLite database at a predictable path. The passwords are encrypted, but the decryption key is also stored on the same machine, scoped to the user’s Windows or macOS profile. An infostealer running as the logged-in user can read both the database and the key, decrypt locally, and dump the cleartext credentials.
The same pattern applies to cookies, autofill, and most browser-stored data. Firefox uses a different format and a master-password option, but most major families support it. Cryptocurrency wallets are typically stored in well-known directory paths, sometimes encrypted with a user-set password and sometimes not.
None of this requires zero-day exploitation, privilege escalation, or kernel-level techniques. Infostealers work because the user, by virtue of being logged in, already has access to everything the malware needs. That is what makes the family of attacks so difficult to defend against at the user level.
How do you know if you are in a stealer log?
The fastest free checks are Stealercheck for any domain you own or work at, and Have I Been Pwned for any email address. Both will tell you whether the domain or email appears in the corpus of leaked stealer logs. Neither will tell you which specific credentials leaked.
For enterprise teams that need to monitor across many domains and many employees continuously, a paid platform like Alerts.bar, SpyCloud, Hudson Rock, or Constella is the next step up. Our best dark-web monitoring review compares the main options.
Frequently asked questions
What is the most active infostealer in 2026?
Lumma Stealer leads by share of fresh logs, followed by StealC. Both grew significantly after Operation Magnus disrupted RedLine and META in late 2024.
Is RedLine Stealer still a threat after the 2024 takedown?
The new-distribution side is largely shut down, but the existing pre-takedown log corpus remains enormous and credentials inside it are still valid wherever users have not rotated. Some older builds and cracked panels still produce low-volume new logs.
What is the leading infostealer on macOS?
Atomic Stealer (AMOS) is the dominant macOS family in 2026. It is distributed primarily through cracked Mac apps and Mac-targeted malvertising, and it specialises in cryptocurrency wallet theft.
How do infostealers usually reach victims?
The top channels in 2026 are malvertising for popular software, SEO poisoning, cracked applications and game cheats, ClickFix or fake captcha pages, and pirated YouTube content. Phishing attachments are a smaller share than people assume.
Why do infostealers matter for ransomware?
Infostealer logs are now the leading initial-access vector for ransomware in 2026. The pipeline is: a device gets infected with an infostealer, the log is sold to an initial access broker, the broker resells corporate access to a ransomware affiliate, the affiliate deploys ransomware. Most major incidents trace back to a stealer log.
Can endpoint detection stop infostealers?
Yes, for known families with current signatures. The challenge is that infostealer authors update builds frequently and use packers and obfuscation specifically to evade endpoint products. Behavioural detection on credential access and cookie reads is more reliable than signature-based detection alone.
Is ClickFix only used by Lumma?
No. ClickFix and fake-captcha distribution started gaining mass adoption in 2024 and is now used by StealC, ACR, and others. Lumma drove the technique to scale but the playbook has spread across families.
Related Ransomnews coverage
- Stealer logs explained, what the logs contain, how they leak, and how to check yours.
- Session cookie theft and MFA bypass, what infostealers do with the cookies they harvest.
- Initial access brokers and the ransomware supply chain, the buyers on the demand side of the stealer-log market.
- Stealercheck, our free domain-exposure lookup.
- Alerts.bar review, an enterprise-grade stealer-log monitoring platform.
- Best dark-web monitoring, paid options for continuous credential exposure tracking.
- About the Ransomnews Research Team.
Keywords: top infostealer families 2026, Lumma stealer, RedLine stealer, Vidar stealer, StealC, Atomic stealer AMOS, ACR stealer, Meduza stealer, infostealer malware comparison, Operation Magnus, ClickFix, infostealer ecosystem, ransomware initial access, stealer log marketplace, Ransomnews Research Team.
This review reflects the infostealer ecosystem as of June 2026, including the post-Operation-Magnus landscape. Family-share comparisons are qualitative, not exact percentages. Specific marketplace names and Telegram channels are intentionally omitted to avoid amplification.