Information from the build machine path | Image: Unit 42
In April 2026, security researchers uncovered a massive Vidar stealer campaign distributing data theft and cryptocurrency mining tools. Attackers used oversized files and fake certificates to trick victims.
At a Glance
- Malware Family: Vidar stealer, XMRig
- Threat Actor: Suspected Vidar malware-as-a-service affiliate
- Targets or Victims: Consumers and SMBs in the U.S. and EU
- Delivery Vector: Malvertising (fake software cracks)
- Key Capabilities: Data theft, cryptomining, file inflation, AMSI bypass
- Source: Palo Alto Networks Unit 42
TL;DR
This recent Vidar stealer campaign targets users with fake software cracks to deploy multiple malicious payloads. The attackers use the Factory-v3 loader to drop Vidar stealer and the XMRig miner. Consequently, these tools steal sensitive data and hijack processing power.
Delivery
The Vidar stealer campaign relies heavily on malvertising. Attackers actively target users searching for cracked versions of popular software. They direct these victims to malicious download pages.
The payload arrives as a password-protected archive with a .bin extension. This specific choice helps the files bypass email security gateways. It also prevents automated sandbox systems from analyzing the contents. Once a user extracts the file, the danger begins.
Infection Chain
The initial file is a Factory-v3 loader. This loader uses several tricks to evade detection. First, attackers inflate the file size massively. They append hundreds of megabytes of null bytes to the file. Some samples reached 491 megabytes. This size inflation causes many automated scanners to skip the file entirely.
Next, the Factory-v3 loader presents a fake Authenticode certificate. Early versions mimicked a German streaming service called JustWatch. Later versions cloned the certificate metadata of Bleacher Report. According to a report from Palo Alto Networks, “Because the certificate is not chained to a Microsoft-trusted root, Windows SmartScreen and Authenticode validation will flag the binary as untrusted.” However, the recognizable brand name often tricks users into proceeding anyway.
The malware also patches system memory. It alters the Antimalware Scan Interface (AMSI) buffer. This patch forces the scanner to return an invalid argument error. Consequently, it disables AMSI for subsequent scripts. After bypassing these defenses, the loader drops Vidar stealer and XMRig onto the system. It establishes persistence using registry keys and scheduled tasks. Attackers name the malicious file to resemble a legitimate Windows Defender component.
Command-and-Control and Data-Exfiltration Behaviour
Once active, Vidar stealer targets browser credential stores. It also hunts for cookies and cryptocurrency wallet data. The malware packages all this stolen information into a ZIP file. It then sends this file to a remote command-and-control server.
Meanwhile, the XMRig miner executes in the background. It connects to a remote mining pool to generate Monero cryptocurrency. The malware links each victim’s hardware ID to the mining output. Therefore, the attacker can track individual profitability. Finally, the system sends an alert to a Telegram channel. This message informs the operator about the new infection.
Defense or Detection Guidance
Organizations must enforce strict Authenticode chain validation to stop this Vidar stealer campaign. Security teams should configure their tooling to strip null bytes before applying file size limits. This action exposes the true size of the malware.
Furthermore, defenders should monitor for unexpected binary executions from temporary folders. They must also watch for unauthorized DLL sideloading attempts. Specifically, analysts must watch for fake Windows Defender DLLs loading from non-standard paths. Security administrators should block known malicious infrastructure immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.