The infostealer category has remained one of the most consequential and underrated parts of the cybercriminal supply chain. The April 2026 update is that the ecosystem has continued to professionalise in ways that affect how defenders should think about the threat.

The dominant families through late 2025 and into 2026 have continued to be Lumma, Redline, and Vidar, with several newer entrants gaining share as the older infrastructures faced takedown actions and as criminal customers diversified their supply.

The pricing and distribution model has continued in the malware-as-a-service direction. Operators sell access to infrastructure and updates rather than selling the malware itself. Affiliates handle distribution through search engine poisoning, malicious software cracks, and increasingly through compromised legitimate software supply chains. The economics of this model are robust enough that disruption operations can take down individual infrastructures without breaking the broader ecosystem.

The post-collection economy is where the real value is. Stealer logs (the bulk data extracted from infected machines) feed downstream initial access brokers, ransomware affiliates, and account takeover operations. The price for a single fresh log from a corporate machine has risen as defender capability has reduced average dwell time. Initial access broker pricing for confirmed access to an enterprise target has remained roughly stable in real terms.

What’s changed in defender response is the integration of stealer log monitoring into more mature security operations. Several services now offer continuous monitoring of leaked credentials against an organisation’s identity inventory, with the ability to detect employee credentials in fresh stealer drops within hours. The faster credential rotation enabled by this monitoring has measurably reduced the value of stealer logs against well-defended targets.

The endpoint detection picture remains uneven. Mature EDR deployments catch most of the well-known infostealer families before significant data exfiltration. Less mature endpoint security stacks continue to be where the vast majority of successful infections happen. The defensive divide between organisations with mature security operations and those without has widened.

For organisations thinking about infostealer risk in 2026, the basic controls haven’t changed. EDR with active response capability. MFA on everything that supports it, with FIDO2 where available for critical accounts. Credential monitoring against leaked datasets. Education that doesn’t rely on users to detect modern stealer delivery, because they won’t.

The longer-term outlook depends heavily on whether disruption operations can scale faster than the criminal ecosystem can adapt. The track record so far is one of disruptions causing temporary dips followed by rapid replacement of capacity. The arms race continues.