Skip to main content
Emerging ThreatsMalware & Ransomware

Cyberattackers Deploy Vidar Infostealer in Global Monero Mining Campaign

Ordinary office workspace with computers and monitors on desks, hinting at a global cyberattack.

“The operator behind this campaign runs a dual-monetization scheme. Criminals sell credentials and session cookies stolen by Vidar stealer on criminal log markets, while XMRig provides passive income from hijacked victim CPU cycles,” Unit 42 researchers said.

Unit 42 discovery and timeline

Palo Alto Networks’ Unit 42 first detected the campaign in April 2026 and published detailed findings on July 7. The researchers attribute the activity to an operation that targets consumers and small and medium businesses worldwide, combining credential theft with on‑device cryptocurrency mining.

Delivery vector: malvertising and spoofed download pages

According to Unit 42, attackers lure victims through malvertising that directs users to pages offering downloads that impersonate cracked versions of copyright‑protected software. The campaign included pages that purport to distribute software tied to JustWatch GmbH and a page resembling a BleacherReport[.]com certificate. Unit 42 explicitly noted that JustWatch itself has not been compromised.

Files presented for download are packaged inside password‑protected archives and include a .bin extension in the filename. Unit 42 describes the .bin extension and password protection as a deliberate choice to evade email gateway scanning and to prevent automated sandbox detonation when no password is supplied.

Loader behavior: AMSI bypass, process enumeration, and dual payloads

The download loader uses anti‑analysis techniques such as process enumeration and an AMSI bypass in which the AmsiScanBuffer function is patched to prevent detection by some types of security software. Once executed, the loader drops and runs two distinct payloads: the Vidar infostealer and the XMRig cryptocurrency miner.

Vidar is used to siphon sensitive information from the victim environment, including browser credentials, cookies and crypto wallets. XMRig mines Monero, using the victim computer’s processor to perform the mathematical work required “to verify network transactions and secure the blockchain,” an activity rewarded with freshly minted Monero coins, Unit 42 reported.

Tooling and infrastructure: Factory‑v3 framework and Telegram C2 with ‘X3D MINER’ tag

Unit 42 identified 99 samples of the loader and found consistent indicators that the attackers used the Factory‑v3 framework, a malware‑as‑a‑service (MaaS) builder. The researchers assessed Factory‑v3 to be an upstream service used by at least two distinct known infostealer affiliates, indicating the builder supplies multiple criminal operators.

The campaign’s command‑and‑control relied on Telegram. Unit 42 observed the tag ‘X3D MINER’ in Telegram operator notifications sent for every new infection. That behavior has been associated with a known threat group that has previously been seen delivering XMRig and binding XMRig with other programs.

What this means for consumers, small and medium businesses, and security teams

  • Consumers and small and medium businesses: The campaign targets these groups directly via spoofed download pages and malvertising. Compromised systems may lose saved credentials and session cookies while also suffering degraded performance as XMRig consumes CPU cycles to mine Monero.
  • Security teams and technologists: The combination of password‑protected .bin archives, AMSI patching, and process enumeration complicates detection and automatic analysis. Teams will need to account for nonstandard archive extensions and consider sandboxing workflows that supply passwords or otherwise validate downloads originating from advertising redirects and cracked‑software pages.
  • Criminal operators and buyers of stolen data: The campaign embodies a dual revenue model — immediate sales of credentials and longer‑term passive income from cryptomining. Unit 42’s finding that Factory‑v3 is used by multiple affiliates suggests operators can rent or reuse reliable infrastructure to scale both theft and mining operations.

Unit 42’s analysis ties specific delivery and evasive techniques to a clear commercial objective: sell stolen credentials and mine Monero using hijacked compute. The investigators documented 99 loader samples, a Factory‑v3 linkage, and Telegram‑based notifications tagged ‘X3D MINER,’ framing a compact but effective criminal pipeline. One open question the facts leave: will the Factory‑v3 affiliates expand this dual‑monetization model into new lures or larger victim pools as the campaign continues?

Read the original Unit 42 report on Infosecurity Magazine