Skip to main content
Emerging ThreatsMalware & Ransomware

Vidar Stealer Campaign Exposes Code Signing Abuse and Evasion Tactics

Cracked software package on laptop screen with archive being extracted in background.

"We initially discovered 43 of these loader binaries that deliver Vidar stealer and XMRig."

Malvertising, password‑protected .bin archives, and the Factory‑v3 Go loader

Unit 42 traced a financially motivated April 2026 campaign that lured victims through malvertising to download what appeared to be cracked versions of copyrighted software. The infection chain began with password‑protected .bin archives — a deliberate choice, the researchers note, to bypass email gateway scanning and to prevent automated sandbox detonation without the password. Extracting and running those archives produced loader binaries compiled with a Go-based builder the report identifies as Factory‑v3 (internal name UpdateFactor), which generated per‑build unique binaries using a custom Go toolchain (Go version 1.25.9).

Code‑signing impersonation, file inflation, and other anti‑forensic measures

The 43 initial loaders carried Authenticode signatures fabricated to impersonate JustWatch GmbH. The certificate was entirely fabricated, chained to a self‑signed root CA not present in public trust stores; Unit 42 observed the certificate subject CN as justwatch[.]com and the issuer CN as WR3 (serial number 2f:7e:f0:15:7d:17:62:5c:09:86:91:ce:f1:ff:7d:63), valid 2026‑03‑09 to 2026‑06‑07.

Attackers layered additional evasion: the Factory‑v3 builder produced a unique binary per build (Unit 42 observed 27 unique build UUIDs across 43 samples), zeroed PE TimeDateStamp, removed version info, reduced DLL imports to kernel32.dll only, and obfuscated user‑defined type names. Loaders in two clusters appended hundreds of megabytes of null bytes after the PE sections, inflating files to as large as 491 MB; the real malicious content in the largest sample was 2.3 MB and compressed to roughly 2.4 MB, exploiting sandbox size limits.

The actor adapted quickly: a subsequent variant identified on April 24, 2026 retained the same builder and infrastructure but switched to an unauthorized certificate designed to resemble BleacherReport[.]com, an example Unit 42 labels "Code Signing Impersonation."

What the malware does on victim systems: Vidar, XMRig, AMSI bypass and persistence

The loader drops and runs multiple components. Static analysis of a Vidar core payload (SHA256 7ed4a256e1d281cb4f194d13ff554fb280dafde0a67a18115ea038ea6c87d) revealed an in‑memory AMSI bypass that patches AmsiScanBuffer to return E_INVALIDARG, potentially disabling Windows AMSI for subsequent script and code execution. Larger data blobs are protected by a 32‑byte rotating XOR used to store Telegram bot tokens, Monero wallet addresses and mining pool hostnames.

Dynamic execution showed this sequence: a geolocation beacon to ip‑api[.]com/json; MicrosoftUpdate.exe (Vidar) dropped to %TEMP%; MicrosoftEdgeUpdate.exe (XMRig launcher), libuv‑1.dll, WinRing0x64.sys and mgwthmc2.dat written to %AppData%\\Roaming\\Microsoft\\Windows\\Temp; and a persistence copy named NisSrv.exe. Vidar packages browser credentials, cookies and crypto wallet data into a ZIP and exfiltrates to 136.243.203[.]109:443. XMRig begins mining Monero via pool.supportxmr[.]com; the miner’s config is built in memory, decrypted at runtime, and the victim’s C: volume serial number is hashed into an 8‑character HWID appended to the auth_token so the operator can track per‑victim mining output.

Persistence is established through three parallel mechanisms pointing to NisSrv.exe: a Run key (HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run value name SystemAgentService), a scheduled task named SystemAgentService set to run on logon, and a Startup folder batch script (FEbJCNWOCKMJ.bat). Unit 42 notes the filename choice blends with legitimate Windows Defender components.

Indicators, infrastructure and defender actions

  • Observed C2 IPs: 116.203.243[.]208; 136.243.203[.]109; 136.243.203[.]111; 138.199.246[.]13.
  • Mining pool: pool.supportxmr[.]com.
  • Telegram indicators: operator notifications labeled "X3D MINER • NEW LOG" and a variant cluster contacting channel ci0iiif.
  • Files and paths dropped by the campaign: %TEMP%\\MicrosoftUpdate.exe (Vidar), %AppData%\\Roaming\\Microsoft\\Windows\\Temp\\MicrosoftEdgeUpdate.exe (XMRig launcher), libuv‑1.dll, WinRing0x64.sys, mgwthmc2.dat, and %AppData%\\Roaming\\Microsoft\\Windows\\Temp\\NisSrv.exe (persistence copy); Startup script %StartUp%\\FEbJCNWOCKMJ.bat.

Unit 42’s immediate recommendations: enforce strong Authenticode chain validation and certificate serial blocklisting; configure security tooling to scan files regardless of size and remove null‑byte padding before applying limits; monitor for MpClient.dll loading from non‑standard paths; hunt for the specific persistence artifacts and file‑drop patterns; and block outbound connections to the listed C2 addresses and pool.supportxmr[.]com immediately. Palo Alto Networks lists specific protections for its customers — Cortex XDR, XSIAM, Advanced WildFire, Advanced URL Filtering, Advanced DNS Security and Prisma Browser — and says it has updated ML models and protections based on these indicators.

What this means for technologists, procurement leaders, and end users

Technologists and security teams should prioritize chain validation, file‑size handling, and hunting for the Run key, scheduled task and Startup script strings Unit 42 enumerated. Procurement and IT leaders should insist vendors and endpoint teams validate code‑signing and apply certificate blocklisting where feasible. End users should avoid downloading cracked software and be wary when an Authenticode dialog shows a familiar brand name — Unit 42 cautions that visual brand cues may deceive victims even when the signature is not chained to a trusted root.

Unit 42 has shared these findings with Cyber Threat Alliance members and offers incident response assistance; organizations that suspect compromise are encouraged to contact the Unit 42 Incident Response team. For full technical detail and the complete list of indicators, see the original Unit 42 report: https://unit42.paloaltonetworks.com/vidar-stealer-xmrig-miner-campaign-analysis/