What are credential stealers and why are they a threat?

Credential stealers are malicious software designed to collect login information such as usernames and passwords from infected systems. They pose a significant threat because they can compromise sensitive accounts, steal financial data, and facilitate further attacks like lateral movement or privilege escalation within organizations.

What is Vidar and how does it operate?

Vidar is an information stealer trojan first identified in December 2018. Written in C++, it can steal text files, browser cookies, history, autofill data, banking and credit card details, and even cryptocurrency wallet information. Vidar can also take screenshots and steal private messages. It sends stolen data to a control server and then deletes itself from the system to avoid detection.

How does Raccoon stealer work and what makes it popular?

Raccoon is an info stealer malware available as Malware-as-a-Service since 2019. It is popular due to its user-friendly dashboard and ease of use for attackers. Raccoon can steal passwords, browser data, cryptocurrency wallets, and information from Microsoft Outlook. It collects data, packs it into a ZIP archive, and sends it to the attacker's server.

What are the main capabilities of RedLine stealer?

RedLine is a .NET-based malware written in C# that targets passwords, credit card information, autofill data, cookies, and hardware configuration. It can also deliver other malware like ransomware and RATs. RedLine is distributed via social engineering, spam, and malicious ads, and is available for purchase on underground forums.

How does Taurus stealer infect systems and what data does it target?

Taurus Stealer, active since April 2020, is delivered via malspam campaigns and exploit kits. It targets passwords, cookies, autofill forms, browser history, cryptocurrency wallets, FTP and email client credentials, and system configuration data. Taurus avoids execution in Commonwealth of Independent States (CIS) countries.

What is AZORult and how does it compromise victims?

AZORult is an information stealer discovered in 2016, sold on Russian underground forums. It collects sensitive information such as installed programs, system details, browser credentials, cryptocurrency wallets, and chat histories. AZORult can also create hidden administrator accounts and enable remote access. It is often delivered via exploit kits and phishing emails.

Which cryptocurrencies are targeted by credential stealers like Vidar and AZORult?

Vidar targets Litecoin, Bitcoin, Ethereum, Zcash, and DashCore wallets, while AZORult is known to target Bitcoin, Monero, and uCoin wallets. These malware variants search for wallet information and can steal digital coins from offline wallets.

How do credential stealers typically deliver stolen data to attackers?

Credential stealers like Vidar, Raccoon, and RedLine typically collect data from infected systems, archive it (often as a ZIP file), and send it to a command-and-control (C2) server controlled by the attacker. Some, like Vidar, also delete themselves after exfiltration to avoid detection.

What infection vectors are commonly used by credential stealers?

Credential stealers are commonly delivered via phishing emails, exploit kits (such as Fallout EK), malicious attachments, social engineering, and sometimes through other malware like Ramnit and Emotet that download them as secondary payloads.

How can organizations validate their defenses against credential stealers?

Organizations can use Cymulate's Exposure Validation and Threat Validation solutions to simulate real-world credential stealer attacks, validate their security controls, and identify exploitable vulnerabilities. This proactive approach helps ensure defenses are effective against the latest credential-stealing malware. Learn more about Exposure Validation .

What is the impact of authentication vulnerabilities in organizations?

Authentication vulnerabilities, such as weak or hardcoded passwords, can allow attackers to move laterally, escalate privileges, and compromise critical systems. For a detailed explanation, watch the Understanding the Impact of Authentication Vulnerabilities video .

What was the potential impact of hardcoded and weak passwords found at a manufacturing company?

Weak and hardcoded passwords could be easily guessed or cracked, allowing attackers to move laterally, collect critical information, and escalate privileges to reach the organization's domain controller. This significantly increases the risk of advanced persistent threats (APTs).

How does Cymulate help organizations address credential stealer threats?

Cymulate enables organizations to simulate credential stealer attacks, validate their defenses, and receive actionable insights for remediation. The platform's continuous threat validation ensures that security controls are effective against evolving threats like Vidar, Raccoon, RedLine, Taurus, and AZORult.

How does Cymulate's Threat Validation solution differ from manual pen tests and traditional BAS?

Cymulate's Threat Validation provides automated, continuous security testing with a library of over 100,000 attack actions aligned to MITRE ATT&CK and daily threat intelligence. Unlike manual pen tests or traditional BAS, Cymulate offers out-of-the-box integrations, automated mitigation, and actionable remediation, making it faster and more comprehensive. Learn more .

What are the most common infection methods for credential stealers?

Credential stealers are most commonly spread through phishing emails, exploit kits, malicious attachments, and social engineering campaigns. Some are also distributed as secondary payloads by other malware families.

How does Cymulate's platform help with validating exposure to credential stealers?

Cymulate's Exposure Validation continuously tests security controls against the latest credential stealer techniques, ensuring organizations can identify and remediate exploitable exposures before attackers do. This supports a threat-informed defense strategy. Learn more .

What are the key features of Cymulate's Exposure Validation solution?

Cymulate Exposure Validation offers automated offensive testing, a library of over 100,000 attack actions, out-of-the-box integrations, automated mitigation, and daily threat intelligence updates. It supports continuous validation of both prevention and detection controls. Learn more .

How does Cymulate's Threat (IoC) updates feature improve threat resilience?

The Threat (IoC) updates feature provides recommended Indicators of Compromise that can be exported and applied directly to security controls, improving resilience by enabling rapid defense against new threats. Data can be exported as plain text or STIX format for integration. (Source: Cymulate Platform Message Guide)

What are some real-world examples of organizations improving security with Cymulate?

Hertz Israel reduced cyber risk by 81% in four months using Cymulate. A sustainable energy company scaled penetration testing cost-effectively, and a credit union optimized SecOps with live-data exercises. See more case studies at Cymulate Customers .

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a custom quote, schedule a demo with Cymulate's team.

How easy is it to implement Cymulate and start using it?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately, and support is available via email, chat, and a knowledge base. (Source: Customer testimonials, Cymulate manual)

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and actionable insights. Testimonials highlight easy implementation, accessible support, and immediate value. (Source: Customer reviews, Cymulate website)

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating robust security and compliance practices. (Source: Security at Cymulate )

What integrations does Cymulate support?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit the Partnerships and Integrations page .

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, Red Teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. (Source: Cymulate roles pages)

What are the core problems Cymulate solves?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear risk prioritization, resource constraints, and fragmented security tools by providing continuous threat validation, exposure prioritization, and automation. (Source: Cymulate Platform Message Guide)

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and Exposure Analytics, continuous 24/7 validation, AI-powered optimization, ease of use, and measurable outcomes like a 52% reduction in critical exposures and 81% reduction in cyber risk. (Source: Cymulate vs. Competitors)

What is Cymulate's approach to security and compliance?

Cymulate employs a robust security program with data encryption (TLS 1.2+ in transit, AES-256 at rest), secure AWS hosting, secure SDLC, vulnerability scanning, third-party penetration testing, and compliance with GDPR and leading standards. (Source: Security at Cymulate )

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. (Source: About Us )

What are the key benefits of using Cymulate?

Key benefits include improved security posture (up to 52% reduction in critical exposures), operational efficiency (60% increase in team efficiency), faster threat validation (40X faster than manual methods), cost savings, and enhanced threat resilience (81% reduction in cyber risk within four months). (Source: Cymulate Platform)

How does Cymulate support different security roles?

Cymulate provides tailored solutions for CISOs (metrics and risk communication), SecOps (automation and efficiency), Red Teams (automated offensive testing), and Vulnerability Management (prioritization and validation). (Source: Cymulate roles pages)

How can I access Cymulate's Threat Exposure Validation Impact Report 2025?

You can download the full report for insights on CTEM, automation, AI, and threat prevention at this link .

What is Gartner's prediction regarding threat exposure findings by 2028?

Gartner predicts that by 2028, more than half of threat exposure findings will result from nontechnical vulnerabilities, requiring a shift in security priorities as these risks surpass traditional IT concerns. (Source: Gartner Strategic Roadmap )

What are the main challenges Continuous Threat Exposure Management (CTEM) addresses?

CTEM helps security leaders manage increasing threats, tool proliferation, and lack of clear answers. It provides a proactive framework to prioritize and mitigate exposures, moving beyond reactive defenses. (Source: CTEM Guide )

Common credential stealers

March 20, 2023

Common credential stealers FortiGuard Threat Research has observed an increasing threat arising from credential stealers. The most common types of stealers are those that collect login information, such as usernames and passwords. Vidar: Vidar is an information stealer trojan that was first identified in December 2018. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems. Vidar can be purchased on its "official" website by cyber criminals. Key features include: the Vidar trojan analysis, malware is written in the C++ programming language. Capable of stealing text files in multiple formats, browser cookies and history, and browser records, including data from TOR Capable of auto-filling value information, including banking and credit card details. Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by malware. The malware can search for cryptocurrency wallet information, take screenshots and act as a message stealer, recording private messages from various software. Vidar data stealer uses domain names to search for C&C servers, where stolen data is being dropped, changing every four days. The malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system. Racoon: Raccoon is an info stealer type malware available as Malware as a Service. It can be obtained for a subscription. Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019. Although some consider this a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard, helped make Raccoon quite popular. In fact, the malware has already managed to infect upwards of 100,000 devices and became one of the most mentioned viruses in hacker communities. Key features include The stealer is written in C/C++ and can run on 32-bit and 64-bit systems without .NET dependencies Has a very simple format and the stealer itself lacks any kind of antivirus protection. Depending on the configuration enabled by an attacker, can check system settings, capture screenshots, collect basic information like OS version, IP and username and steal passwords and logins from a variety of browsers. The stealer can retrieve information from Microsoft Outlook as well as steal cryptocurrency wallets. After the data collection process ends the data is packed into a .ZIP archive that is then sent to the attackers' server Redline: The malware appeared in March 2020. Since then RedLine has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021 the malware was found on a legit-looking website that provides privacy tools. RedLine Stealer is available on underground forums for sale apparently as a standalone or also on a subscription basis. Redline stealer is distributed via social engineering for different email campaigns including business email compromise, spam, fake updates, and ads in Google resulting in malicious attachments or links. Key features include: This malware is a .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it. Capable of stealing information about users from browsers, systems instant messaging, and file transfer protocol clients. Primarily targets passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc. The virus is also capable of stealing cryptocurrency. The malware can be used to deliver ransomware, RAT s, trojans, and miners. Taurus: Since April 2020, the C/C++ information-stealing virus known as Taurus Stealer, commonly referred to as Taurus or Taurus Project, has been active in the wild. The initial attack vector often begins with a malspam campaign that disseminates a malicious attachment, while the Fallout Exploit Kit has also been observed doing the delivery. Capable of stealing passwords, cookies, and autofill forms along with the history of Chromium- and Gecko-based browsers. Taurus can also steal some popular cryptocurrency wallets, commonly used FTP clients credentials, and email clients credentials. Collects information, such as installed software and system configuration, and sends that information back to the attacker. Taurus is designed to not execute in countries within the Commonwealth of Independent States (CIS) Azurolt: The AZORULT malware was first discovered in 2016 to be an information stealer. It can also act as a downloader of other malware. It was sold on Russian underground forums to collect various types of sensitive information from an infected computer. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establishing a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing emails with social engineering techniques are the major infection vectors of the AZORult malware. Other malware families such as Ramnit and Emotet also download AZORult. Key features include: Steals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version Steals the following data stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software User names passwords, and hostnames from different browsers Bitcoin wallets - Monero and uCoin Steam and telegram credentials Skype chat history and messages AZORult spyware searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim's bank account data. After execution, the malware is removed from the system due to the lack of a persistence.

Featured Resources

View More Resources

blog

CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover

CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.

Demo

Exposure Validation Demo

Demo of automated offensive simulations validating detection, prevention, and IOC coverage

Learn More