Several credential stealer families are actively used in 2025, each with slightly different focus areas, delivery methods, and payloads. Many are sold as malware-as-a-service (MaaS), meaning they can be easily purchased and deployed by attackers without technical skill.

The most commonly seen families include:

• Lumma — the most dominant infostealer in 2025, known for rapid development, modular payloads, and advanced evasion features

• RedLine — was always the number 1, now overtaken by Lumma. Still widely distributed. Several of its infrastructure servers were taken down during Operation Magnus, a coordinated law enforcement effort in 2024

• Raccoon v2 — recently re-emerged after a takedown, popular for its low cost and simplicity

• Meta — shares infrastructure with other loaders and often part of multi-stage attacks

• RisePro — believed to be a fork of Lumma, with a focus on exfiltrating financial and session data

• Vidar — includes clipboard and file grabber features, sometimes deployed alongside ransomware

Malpedia’s search on stealers