Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation

Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation
In April 2026, Unit 42 uncovered a malvertising-driven campaign that used fake cracked software downloads to deliver Vidar stealer and the XMRig miner to victims in the U.S., EU, and beyond. The campaign relied on Factory-v3 loaders, rogue code-signing certificates, AMSI bypasses, and persistence mechanisms to steal data, mine Monero, and notify operators through Telegram. #Vidar #XMRig #Factory-v3 #JustWatch #BleacherReport #Unit42

Keypoints

  • Unit 42 identified a financially motivated April 2026 campaign distributing Vidar stealer and XMRig through malvertising and fake cracked software downloads.
  • The campaign primarily targeted consumer and small-to-medium business victims, with notable activity in the U.S. and European Union.
  • Attackers used password-protected .bin archives and oversized, null-byte-padded loader binaries to evade scanning and sandbox analysis.
  • The loaders were built with the Factory-v3 framework, produced unique binaries per build, and used anti-forensic measures such as zeroed timestamps and obfuscated type names.
  • All loader samples carried rogue Authenticode signatures impersonating JustWatch, and a later variant switched to a fake certificate resembling BleacherReport.
  • The malware established persistence through registry Run keys, scheduled tasks, and startup folder scripts, all pointing to NisSrv.exe.
  • Vidar stole credentials, cookies, and crypto wallet data, while XMRig mined Monero and reported victim activity through Telegram and C2 infrastructure.

MITRE Techniques

  • [T1574.002 ] DLL Side-Loading – Fake MpClient.dll variants exported Defender-like functions so a legitimate binary would load the malicious DLL first (‘malicious copy first if it is placed in a higher-priority search path’).
  • [T1036 ] Masquerading – The malware used filenames and signatures that mimicked legitimate software and vendors, including MicrosoftUpdate.exe, MicrosoftEdgeUpdate.exe, NisSrv.exe, and fake JustWatch/BleacherReport certificates (‘mimic cracked versions’, ‘blend in with legitimate Windows Defender components’).
  • [T1562.001 ] Disable or Modify Tools – The payload patched AmsiScanBuffer to force E_INVALIDARG and reduce detection by security tools (‘overwrites its first six bytes with a patch’, ‘might disable Windows AMSI’).
  • [T1055 ] Process Injection – Not directly described as classic injection into another process, but the in-memory patching of AMSI within loaded amsi.dll altered security behavior inside the process context (‘loads amsi.dll, resolves the AmsiScanBuffer variable’).
  • [T1112 ] Modify Registry – Persistence was established with an HKCU Run key pointing to NisSrv.exe (‘HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun’).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – The malware created an on-logon scheduled task for persistence (‘schtasks /create … /sc onlogon’).
  • [T1547.001 ] Registry Run Keys / Startup Folder – Persistence also used a Startup folder batch script (‘C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUpFEbJCNWOCKMJ.bat’).
  • [T1082 ] System Information Discovery – The malware collected hardware IDs, volume serial-related identifiers, and geolocation information (‘gathers information about files, hardware IDs (HWID)’; ‘GET request to ip-api[.]com/json’).
  • [T1049 ] System Network Connections Discovery – The campaign enumerated processes and bypassed proxies as part of environment awareness (‘anti-analysis techniques such as process enumeration’).
  • [T1027 ] Obfuscated Files or Information – Strings, blobs, and data were XOR-obfuscated to evade static analysis (‘XOR-obfuscated with single-byte key 0x05′, ’32-byte rotating XOR’).
  • [T1105 ] Ingress Tool Transfer – The initial loader delivered and dropped additional payloads including Vidar and XMRig after execution (‘drops and runs both Vidar stealer and XMRig’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The malware used HTTP requests for geolocation and network communication to remote servers (‘GET request to ip-api[.]com/json’, ‘communicating with a command-and-control (C2) server’).
  • [T1041 ] Exfiltration Over C2 Channel – Vidar packaged stolen data into a ZIP and exfiltrated it to the C2 server (‘packaging everything into a ZIP for exfiltration to 136.243.203[.]109:443’).
  • [T1496 ] Resource Hijacking – XMRig mined Monero using victim CPU resources (‘XMRig mines Monero cryptocurrency’, ‘passive income from hijacked victim CPU cycles’).
  • [T1090 ] Proxy – The malware bypassed proxies during reconnaissance (‘bypasses proxies’).

Indicators of Compromise

  • [IP addresses ] Vidar C2 servers and related infrastructure – 136.243.203[.]109, 138.199.246[.]13, and 2 more IPs
  • [Domain names ] Mining pool and telemetry-related services – pool.supportxmr[.]com, ip-api[.]com, and Telegram channel ci0iiif
  • [File names ] Dropped payloads and persistence files – MicrosoftUpdate.exe, MicrosoftEdgeUpdate.exe, and other 5 files such as NisSrv.exe and mgwthmc2.dat
  • [Registry keys ] Persistence via Run key – HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun with value SystemAgentService
  • [Scheduled task ] On-logon persistence task – SystemAgentService created with /sc onlogon
  • [File paths ] Payload and persistence locations – %TEMP%MicrosoftUpdate.exe, %AppData%RoamingMicrosoftWindowsTempNisSrv.exe, and %StartUp%FEbJCNWOCKMJ.bat
  • [Certificate metadata ] Rogue code-signing impersonation artifacts – Subject CN=justwatch[.]com, SHA1 ab92f731ab20774dfdb95664ee41a2fbafe2a284, and serial 2f:7e:f0:15:7d:17:62:5c:09:86:91:ce:f1:ff:7d:63
  • [File hashes ] Malware sample hashes associated with loader clusters and Vidar core – 7ed4a256e1d281cb4f194d13ff554fb280dafde0a67a18115ea038ea6c87d, d42595b695fc008ef2c56aabd8efd68e, and other 2 more hashes


Read more: https://unit42.paloaltonetworks.com/vidar-stealer-xmrig-miner-campaign-analysis/