Russian Market from the Inside: Key Findings from Rapid7's Threat Research

The online cybercrime platform Russian Market has evolved from a marketplace for Remote Desktop Protocol (RDP) access into one of the most active underground hubs for infostealer malware logs, where stolen user credentials are sold daily. Each compromised login represents a potential gateway into corporate systems, enabling threat actors to launch credential-based attacks that put companies, government agencies, and individuals at risk of account compromise and subsequent cyberattacks. Notably, several high-profile breaches have been linked to credentials acquired on platforms like Russian Market, demonstrating how a single exposed password can lead to significant data loss, financial damage, and reputational harm.

The growing demand for credential theft is fueled by large-scale campaigns using information-stealing malware that infect employees both in-office and at home, quietly harvesting logins that may already be circulating illicitly. This reality significantly increases the likelihood of corporate credential exposure, making the monitoring of stolen employee credentials critically important. However, Russian Market is a closed community with anti-intrusion measures in place, creating significant challenges for security professionals trying to track stolen data. By analyzing key vendors and malware variants, our research provides a rare insider view of Russian Market activities, highlighting why organizations must act immediately to enhance credential monitoring and expand detection capabilities.

Russian Market at a Glance

• Russian Market has evolved over time: its operations shifted from selling RDP access to trading stolen credit card data, and more recently to selling infostealer logs. This is a strategic pivot toward more scalable and potentially lucrative offerings.
• Stolen credentials originate from organizations worldwide: 26% from the US and 23% from Argentina.
• In the first half of 2025, over 180,000 infostealer logs were offered for sale, with the market largely dominated by three key vendors: Nu####ez, bl####ow, and Mo####yf.
• Most sellers have adopted a multi-stealer approach over the years, leveraging various malware variants in their operations. Lumma has emerged as one of the most widely used tools.
• The most common infostealer types used by Russian Market sellers over the years have been Raccoon, Vidar, Lumma, RedLine, and Stealc, with Rhadamanthys and Acreed gaining popularity in the first half of 2025.

Top Infostealer Families on Russian Market

• Raccoon - 32%.
• Vidar - 22%.
• Lumma - 13%.
• RedLine - 12%.
• Stealc - 5%.

Raccoon

The Raccoon information-stealing malware (also known as Mohazo, Racealer).

Raccoon was first observed by cybersecurity researchers in April 2019. Globally distributed as a Malware-as-a-Service (MaaS), it has infected hundreds of thousands of Windows devices in countries such as the United States, the United Kingdom, France, Germany, Italy, India, and Australia. Some experts consider Raccoon the successor to the now-defunct Azorult infostealer.

The malware, written in C++, is typically distributed through malvertising or phishing email campaigns. It has also been observed spreading via lure web pages redirecting users to sites containing exploit kits (e.g., Fallout and RIG) or prompting them to download seemingly legitimate software.

Once installed, the infostealer connects to a C2 server and downloads a specific DLL file required for the exfiltration process. Raccoon then begins collecting sensitive information, including system data, user credentials, and web browser information (cookies, autofill data, history, and credit card information). Additionally, it can take screenshots, harvest cryptocurrency, and serve as a dropper for other malicious files. Raccoon deletes itself upon completing the exfiltration process.

Vidar

Vidar is a malware family, primarily operating as an infostealer, active since at least October 2018. The name of the infostealer comes from Norse mythology; it is based on Arkei stealer and is one of the first infostealers capable of obtaining information from two-factor authentication (2FA) software and the Tor browser.

Vidar typically spreads via phishing emails, convincing victims to download and execute the malware. It has also been observed spreading through direct messages on social networks and false advertisements on various gaming forums. The malware is used to steal various types of sensitive information, such as documents, cookies, system data, user credentials, and cryptocurrency wallet information. It can also take screenshots of the victim’s machine. Stolen data is then exfiltrated to a corresponding C2 server.

This infostealer has been used in numerous malvertising campaigns, some of which involved deploying ransomware such as GandCrab, Zeppelin, and DeathRansom.

Lumma

The Lumma Stealer malware was first observed in August 2022 and sold by the threat actor Shamel (also known as Lumma) on a Russian underground forum. Distributed as Malware-as-a-Service (MaaS), the infostealer is used by various threat actors in multiple campaigns worldwide. Analysis suggests Lumma Stealer is based on Mars Stealer and Arkei.

Written in C, Lumma Stealer primarily spreads through malicious websites promoting illegal software, such as cracks and keygens. It has also been delivered via phishing emails with malicious links. Once deployed (sometimes using PureCrypter), the malware collects general system information (e.g., CPU name, physical memory, system language) and harvests TXT files, cryptocurrency information, two-factor authentication (2FA) tokens, and web browser data (history, credentials, and cookies). Stolen data is packed into a ZIP archive and exfiltrated to a C2 server via HTTP POST.

To evade detection, Lumma Stealer performs anti-sandbox and anti-debugging checks and employs string and code obfuscation.

RedLine

The RedLine Stealer malware was first detected in February–March 2020 during the COVID-19 pandemic. It was part of a malspam campaign that encouraged victims to “help fight the coronavirus” by installing a “legitimate” application on their system. The malware has been offered for sale on several Russian underground forums, with pricing varying depending on version (standalone/subscription) and additional customization services offered by the threat actor.

RedLine, written in C#, continuously improves its capabilities and efficiency. Its primary goal is to harvest information from infected machines, such as saved login credentials, credit card numbers, FTP servers, web browser data, instant messaging clients, and cryptocurrency wallet numbers. The malware can bypass security products, steal downloaded files, execute commands, and send all collected data to a remote C2 server.

Stealc

Stealc was first reported by cybersecurity researchers in February 2023 after being promoted on a Russian-speaking underground forum by a user named “Plymouth.” The malware’s code, written in C, is based on the following infostealers: Vidar, Raccoon, Mars, and RedLine.

Like other infostealers, Stealc is assumed to be distributed via malicious installers for allegedly cracked software. Once deployed, the malware deobfuscates its strings (mostly obfuscated with RC4 and Base64) and checks that it is not running in a virtual environment or sandbox. Upon passing these checks, Stealc dynamically loads WinAPI functions and establishes a connection to a C2 server.

The infostealer then collects general system information and harvests data from web browsers (cookies, autofill, history), extensions, cryptocurrency wallets, and various installed apps such as Discord, Telegram, Outlook, and Steam. Additionally, Stealc retrieves a custom file grabber to steal specific file types predetermined by its operators.

Data is then exfiltrated to the C2 server via HTTP POST, and all traces of the malware are removed from the system.

For Rapid7 MDR customers, multiple detections are in place to identify and alert on typical infostealer threat actor behaviors:

• Redline: ET MALWARE RedLine Stealer — CheckConnect Response. ET MALWARE Redline — GetArguments Request.
• Lumma: Suspicious Process - Lumma Stealer Related Process Executed. Suspicious Web Request - Lumma Stealer URL Observed. IDS (ET MALWARE) related detections.
• Vidar/Stealc: Suspicious Process - Vidar/Stealc Related Binary Executed. Suspicious Web Request - Vidar/Stealc Stealer URL Observed. IDS (ET MALWARE) related detections.
• Raccoon: IDS (ET MALWARE) related detections for C2 domains.

Rapid7 Intelligence Hub:

Customers leveraging Rapid7 Intelligence Hub can access indicators of compromise (IOCs) related to Vidar and Lumma, as well as the latest developments and associated campaigns.

In addition, multiple detections are in place for Threat Command and MDRP customers to identify and alert on the threat actor behaviors. Specifically, Threat Command monitors dark web activity, including company credentials harvested with infostealers and sold on Russian Market.

Relevant bots are flagged based on the customer’s assets—such as domains, brand names, company names, external IP addresses, or login pages. When a bot containing these assets is identified, a “Bot Data for Sale” alert is issued. In addition to notifying customers of credential exposure, these alerts allow them to quickly and securely acquire the detected bot through the “Ask an Analyst” service.

Customers using Rapid7 Intelligence Hub can access IOCs related to Vidar and Lumma, as well as the latest developments and associated campaigns.

For personalized consultation on Rapid7 solutions, contact Softprom specialists.

Softprom is an official Rapid7 distributor.