HomeEventsFake Software Cracks Fuel Global Vidar Stealer Campaign as Attackers Pair Credential...

Fake Software Cracks Fuel Global Vidar Stealer Campaign as Attackers Pair Credential Theft with Cryptomining

Date:

Related stories

spot_imgspot_imgspot_imgspot_img

A New Evolution of Vidar Malware Raises the Stakes. Cybercriminals are once again proving that one successful infection can generate multiple revenue streams.

Researchers from Palo Alto Networks Unit 42 have uncovered a sophisticated global cybercriminal campaign that combines the infamous Vidar Stealer with the XMRig Monero cryptocurrency miner, allowing attackers to simultaneously steal sensitive information and monetize infected systems through illicit cryptocurrency mining.

The financially motivated campaign, first observed in April 2026, primarily targeted victims across the United States and the European Union, although its delivery method – malvertising promoting cracked commercial software – gives it the potential to impact users worldwide.

The research highlights how modern cybercriminals continue refining their operations by combining information theft, cryptojacking, fake digital certificates and anti-analysis techniques into a single infection chain.

The Attack Starts with a Fake Software Crack

Unlike sophisticated nation-state attacks that often rely on zero-day vulnerabilities, this campaign exploits something far simpler: human curiosity and the desire to obtain pirated software.

Victims searching online for cracked versions of commercial applications are redirected through malicious advertisements to convincing download pages.

Instead of downloading free software, victims receive password-protected archives disguised as legitimate installers.

Once executed, a malicious Go-based loader immediately deploys two separate payloads:

  • Vidar Stealer
  • XMRig cryptocurrency miner

This dual-payload approach allows attackers to maximize profit from every compromised computer.

Two Revenue Streams from One Victim

The campaign illustrates how financially motivated cybercrime has evolved beyond simple credential theft.

Vidar Stealer

Vidar focuses on collecting valuable information including:

  • Browser passwords
  • Saved credentials
  • Session cookies
  • Cryptocurrency wallets
  • Browser history
  • Device information

The stolen information is compressed and transmitted to attacker-controlled command-and-control servers before potentially being sold on underground marketplaces.

XMRig Miner

While Vidar quietly steals data, XMRig begins mining Monero (XMR) using the victim’s CPU resources.

The result is a continuous source of passive income for attackers while simultaneously degrading the victim’s system performance and increasing electricity consumption.

Factory-v3 Makes Every Malware Sample Unique

One of the campaign’s most notable technical characteristics is its reliance on the Factory-v3 Malware-as-a-Service (MaaS) builder.

Instead of distributing identical malware samples, Factory-v3 automatically creates unique binaries for each build.

Researchers identified:

  • 43 initial malware samples
  • 27 different build UUIDs
  • Unique hashes for nearly every build

This significantly weakens traditional hash-based detection methods used by many security products.

The same malware builder has reportedly been linked to campaigns involving other information stealers, including Lumma Stealer, suggesting multiple criminal affiliates share the same malware generation platform.

Fake Digital Certificates Designed to Fool Victims

Another clever tactic involved fraudulent code-signing certificates.

The attackers embedded certificates impersonating legitimate companies including:

  • JustWatch
  • Bleacher Report

Importantly, neither company was compromised.

Instead, attackers generated counterfeit certificates displaying familiar company names despite lacking trust from Microsoft’s certificate infrastructure.

Although Windows correctly flags these executables as untrusted, many users may only notice the recognizable brand name and incorrectly assume the software is legitimate.

This technique demonstrates that attackers increasingly exploit user trust rather than attempting to bypass every technical security control.

Oversized Malware Evades Security Sandboxes

Perhaps the campaign’s most innovative evasion technique involved artificially inflating malware file sizes.

Several loader files exceeded 490 MB, despite containing only around 2.3 MB of actual malicious code.

The remaining hundreds of megabytes consisted entirely of null-byte padding.

Many automated malware sandboxes impose upload limits between 50 MB and 100 MB, meaning oversized files are frequently ignored without ever being analyzed.

This simple trick allows malware to bypass many automated detection environments.

AMSI Bypass Weakens Endpoint Protection

The malware also disables an important Windows security component before stealing any information.

Researchers discovered an in-memory bypass of Microsoft’s Antimalware Scan Interface (AMSI).

Rather than disabling antivirus software directly, the malware patches the AmsiScanBuffer function in memory, preventing certain scripts and malicious code from being inspected.

Combined with string obfuscation and encrypted configuration data, this significantly complicates both detection and forensic analysis.

Three Persistence Mechanisms Keep Malware Alive

To survive system reboots, the attackers establish persistence through multiple Windows mechanisms simultaneously:

  • Registry Run keys
  • Scheduled Tasks
  • Startup folder batch scripts

Each persistence method ultimately launches a file named NisSrv.exe, intentionally chosen because it resembles a legitimate Windows Defender component.

Using filenames that imitate trusted Microsoft services remains one of the oldest – and still most effective – social engineering techniques.

Telegram Notifications Keep Attackers Updated

Once an infection succeeds, the malware immediately notifies the operator through Telegram.

Each compromised system generates alerts labelled:

X3D MINER • NEW LOG

The notification includes:

  • Victim country
  • Public IP address
  • Hardware identifier
  • Mining information

This allows operators to monitor infections in real time while tracking mining revenue generated by each compromised machine.

Why This Campaign Matters

This campaign reflects several broader cybersecurity trends shaping today’s threat landscape.

First, cybercriminals increasingly combine multiple monetization methods into a single attack.

Instead of choosing between credential theft or cryptomining, they now perform both simultaneously.

Second, Malware-as-a-Service ecosystems continue lowering the barrier to entry.

Affiliates no longer require advanced development skills when builders like Factory-v3 generate customized malware automatically.

Finally, attackers continue investing heavily in detection evasion rather than exploiting new software vulnerabilities.

Techniques such as oversized binaries, rogue certificates, AMSI bypasses and per-build hash randomization demonstrate that evasion remains a central priority for financially motivated threat actors.

What It Means for Organizations

For enterprises, this campaign reinforces several critical realities:

  • Pirated software remains a major infection vector.
  • Trusting digital signatures without validating certificate chains is dangerous.
  • Traditional signature-based detection alone is no longer sufficient.
  • Endpoint Detection and Response (EDR) solutions must identify behavioral anomalies rather than relying solely on file hashes.
  • Threat hunting teams should monitor persistence mechanisms, suspicious DLL sideloading and unexpected cryptomining activity.

Organizations should also review controls around application allowlisting, DNS filtering, web filtering and endpoint telemetry to improve visibility into similar attacks.

Why MEA Organizations Should Pay Attention

Although researchers primarily observed victims in North America and Europe, organizations across the Middle East and Africa should not dismiss the campaign.

MEA continues experiencing rapid digital transformation, increasing cloud adoption and expanding remote workforces—all of which broaden the attack surface for financially motivated cybercriminals.

Businesses should remain vigilant against:

  • Employees downloading unauthorized software
  • Credential theft targeting cloud services
  • Cryptojacking impacting enterprise endpoints
  • Malware delivered through malicious advertisements

Awareness training remains particularly important in regions where software piracy continues to present elevated security risks.

10 Recommended Actions for Security Teams

  1. Block access to software piracy and crack websites using secure web gateways.
  2. Enforce application allowlisting to prevent unauthorized executables from running.
  3. Validate full certificate trust chains instead of relying on publisher names alone.
  4. Configure security tools to inspect oversized files rather than ignoring them.
  5. Monitor Windows Registry Run keys, Scheduled Tasks and Startup folders for persistence.
  6. Detect abnormal CPU utilization that may indicate hidden cryptocurrency mining.
  7. Deploy modern Endpoint Detection and Response (EDR) capable of behavioral analysis.
  8. Train employees about the risks associated with downloading cracked software.
  9. Hunt for indicators associated with Vidar Stealer, including suspicious browser credential access and outbound connections.
  10. Keep operating systems, browsers and endpoint security solutions fully updated while continuously reviewing threat intelligence feeds.

The Bigger Picture

The latest Vidar campaign demonstrates that cybercriminals are becoming increasingly efficient rather than dramatically more sophisticated.

Instead of relying on expensive zero-day exploits, attackers are refining proven techniques – social engineering, malware-as-a-service, credential theft and cryptojacking – while layering advanced evasion methods to frustrate defenders.

For security teams, the lesson is clear: prevention must extend beyond malware signatures to include user awareness, behavioral analytics and proactive threat hunting.

As attackers continue industrializing cybercrime through shared malware platforms like Factory-v3, organizations should expect similar campaigns to evolve even further in the months ahead.

Related Resources

For organizations looking to strengthen their cyber resilience:

  • Learn more about enterprise cybersecurity services, managed detection and response (MDR), threat hunting, and security consulting at Saintynet Cybersecurity.
  • Explore cybersecurity awareness and professional certification training through Saintynet Training.
  • Read more global cybersecurity news, threat intelligence and industry analysis on CyberCory.

Source: Palo Alto Networks Unit 42 Threat Research – Vidar Stealer & XMRig Campaign Analysis (April 2026).

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img