Top Infostealers 2026
The most active information-stealing malware families ranked by sample volume.
Agent Tesla
infostealer ↓ Declining 23%A long-running .NET-based keylogger and infostealer distributed primarily through phishing emails, with extensive data exfiltration channel options.
Vidar
infostealer ↑ Rising 47%A C++-based infostealer forked from Arkei, notable for abusing legitimate platforms like Telegram and Steam for dead-drop C2 resolution.
Formbook
infostealer ↓ Declining 30%A prolific information stealer and form grabber sold as malware-as-a-service, known for its advanced anti-analysis techniques and cross-platform evolution into XLoader.
Lumma Stealer
infostealerA Malware-as-a-Service infostealer sold on dark web forums, specializing in cryptocurrency wallet theft and browser credential extraction.
Raccoon Stealer
infostealerA C/C++ infostealer operated as MaaS, known for its user-friendly panel and the arrest of its lead developer by the FBI in 2022.
RedLine Stealer
infostealerA widely distributed .NET-based infostealer sold on underground forums, known for harvesting browser credentials, cryptocurrency wallets, and system metadata.
What Are Infostealers?
Information stealers (infostealers) are malware designed to extract sensitive data from infected systems — browser credentials, cryptocurrency wallets, session cookies, and autofill data. They're typically distributed through phishing emails, cracked software, and malicious ads. Stolen data is sold on dark web markets or used for account takeover, financial fraud, and corporate network access.
In 2026, infostealers remain the most commercially successful category of malware, with Malware-as-a-Service (MaaS) platforms like Lumma and RedLine offering subscription models starting at $150/month. The data below tracks real-time sample submissions to MalwareBazaar and ThreatFox, providing daily visibility into which stealers are most active.