Cybercriminals are running a dual-monetization scheme that simultaneously steals sensitive data and mines cryptocurrency on victim computers, according to research published July 7 by Unit 42, the threat intelligence division of Palo Alto Networks. The campaign, first detected in April 2026, targets consumers and small to medium businesses globally through malicious advertisements promoting fake cracked software downloads.
Victims are lured to download files impersonating legitimate services, including JustWatch GmbH, a German streaming guide platform, and pages mimicking BleacherReport certificates. The researchers emphasized that JustWatch itself has not been compromised. The malicious files arrive as password-protected archives with .bin extensions, a deliberate tactic to bypass email security gateways and prevent automated sandbox analysis systems from detonating the payload without the password.
Once executed, the loader employs multiple anti-analysis techniques including process enumeration and an AMSI (Antimalware Scan Interface) bypass that patches the AmsiScanBuffer function to evade certain security software. The payload then deploys two distinct malware components: Vidar infostealer and XMRig cryptocurrency miner. Vidar extracts browser credentials, cookies, and cryptocurrency wallet data from infected systems, while XMRig hijacks the victim's CPU to mine Monero, a privacy-focused cryptocurrency, by solving mathematical problems that verify blockchain transactions.
Unit 42 identified 99 samples of the loader, all showing evidence of construction using Factory-v3, a known malware-as-a-service framework used by multiple infostealer affiliates. The attackers monetize stolen credentials and session cookies through criminal log markets while generating passive income from the mining operations. Analysis revealed the threat actors use Telegram for command-and-control communications, with operator notifications tagged 'X3D MINER' sent for each new infection, a pattern previously linked to known threat groups distributing XMRig.
Organizations should block access to software piracy sites, implement endpoint detection solutions capable of identifying cryptocurrency mining activity, and monitor for unusual CPU usage patterns. Security teams should also ensure AMSI protections are enabled and regularly updated, while educating users about the risks of downloading cracked software from untrusted sources.
Source: https://www.infosecurity-magazine.com/news/new-campaign-vidar-stealer-monero/


