In April 2026, Unit 42 uncovered a malvertising-driven campaign that used fake cracked software downloads to deliver Vidar stealer and the XMRig miner to victims in the U.S., EU, and beyond. The campaign relied on Factory-v3 loaders, rogue code-signing certificates, AMSI bypasses, and persistence mechanisms to steal data, mine Monero, and notify operators through Telegram. #Vidar #XMRig #Factory-v3 #JustWatch #BleacherReport #Unit42
Keypoints
- Unit 42 identified a financially motivated April 2026 campaign distributing Vidar stealer and XMRig through malvertising and fake cracked software downloads.
- The campaign primarily targeted consumer and small-to-medium business victims, with notable activity in the U.S. and European Union.
- Attackers used password-protected .bin archives and oversized, null-byte-padded loader binaries to evade scanning and sandbox analysis.
- The loaders were built with the Factory-v3 framework, produced unique binaries per build, and used anti-forensic measures such as zeroed timestamps and obfuscated type names.
- All loader samples carried rogue Authenticode signatures impersonating JustWatch, and a later variant switched to a fake certificate resembling BleacherReport.
- The malware established persistence through registry Run keys, scheduled tasks, and startup folder scripts, all pointing to NisSrv.exe.
- Vidar stole credentials, cookies, and crypto wallet data, while XMRig mined Monero and reported victim activity through Telegram and C2 infrastructure.
MITRE Techniques
- [T1574.002 ] DLL Side-Loading â Fake MpClient.dll variants exported Defender-like functions so a legitimate binary would load the malicious DLL first (âmalicious copy first if it is placed in a higher-priority search pathâ).
- [T1036 ] Masquerading â The malware used filenames and signatures that mimicked legitimate software and vendors, including MicrosoftUpdate.exe, MicrosoftEdgeUpdate.exe, NisSrv.exe, and fake JustWatch/BleacherReport certificates (âmimic cracked versionsâ, âblend in with legitimate Windows Defender componentsâ).
- [T1562.001 ] Disable or Modify Tools â The payload patched AmsiScanBuffer to force E_INVALIDARG and reduce detection by security tools (âoverwrites its first six bytes with a patchâ, âmight disable Windows AMSIâ).
- [T1055 ] Process Injection â Not directly described as classic injection into another process, but the in-memory patching of AMSI within loaded amsi.dll altered security behavior inside the process context (âloads amsi.dll, resolves the AmsiScanBuffer variableâ).
- [T1112 ] Modify Registry â Persistence was established with an HKCU Run key pointing to NisSrv.exe (âHKCUSOFTWAREMicrosoftWindowsCurrentVersionRunâ).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task â The malware created an on-logon scheduled task for persistence (âschtasks /create ⌠/sc onlogonâ).
- [T1547.001 ] Registry Run Keys / Startup Folder â Persistence also used a Startup folder batch script (âC:ProgramDataMicrosoftWindowsStart MenuProgramsStartUpFEbJCNWOCKMJ.batâ).
- [T1082 ] System Information Discovery â The malware collected hardware IDs, volume serial-related identifiers, and geolocation information (âgathers information about files, hardware IDs (HWID)â; âGET request to ip-api[.]com/jsonâ).
- [T1049 ] System Network Connections Discovery â The campaign enumerated processes and bypassed proxies as part of environment awareness (âanti-analysis techniques such as process enumerationâ).
- [T1027 ] Obfuscated Files or Information â Strings, blobs, and data were XOR-obfuscated to evade static analysis (âXOR-obfuscated with single-byte key 0x05â˛, â32-byte rotating XORâ).
- [T1105 ] Ingress Tool Transfer â The initial loader delivered and dropped additional payloads including Vidar and XMRig after execution (âdrops and runs both Vidar stealer and XMRigâ).
- [T1071.001 ] Application Layer Protocol: Web Protocols â The malware used HTTP requests for geolocation and network communication to remote servers (âGET request to ip-api[.]com/jsonâ, âcommunicating with a command-and-control (C2) serverâ).
- [T1041 ] Exfiltration Over C2 Channel â Vidar packaged stolen data into a ZIP and exfiltrated it to the C2 server (âpackaging everything into a ZIP for exfiltration to 136.243.203[.]109:443â).
- [T1496 ] Resource Hijacking â XMRig mined Monero using victim CPU resources (âXMRig mines Monero cryptocurrencyâ, âpassive income from hijacked victim CPU cyclesâ).
- [T1090 ] Proxy â The malware bypassed proxies during reconnaissance (âbypasses proxiesâ).
Indicators of Compromise
- [IP addresses ] Vidar C2 servers and related infrastructure â 136.243.203[.]109, 138.199.246[.]13, and 2 more IPs
- [Domain names ] Mining pool and telemetry-related services â pool.supportxmr[.]com, ip-api[.]com, and Telegram channel ci0iiif
- [File names ] Dropped payloads and persistence files â MicrosoftUpdate.exe, MicrosoftEdgeUpdate.exe, and other 5 files such as NisSrv.exe and mgwthmc2.dat
- [Registry keys ] Persistence via Run key â HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun with value SystemAgentService
- [Scheduled task ] On-logon persistence task â SystemAgentService created with /sc onlogon
- [File paths ] Payload and persistence locations â %TEMP%MicrosoftUpdate.exe, %AppData%RoamingMicrosoftWindowsTempNisSrv.exe, and %StartUp%FEbJCNWOCKMJ.bat
- [Certificate metadata ] Rogue code-signing impersonation artifacts â Subject CN=justwatch[.]com, SHA1 ab92f731ab20774dfdb95664ee41a2fbafe2a284, and serial 2f:7e:f0:15:7d:17:62:5c:09:86:91:ce:f1:ff:7d:63
- [File hashes ] Malware sample hashes associated with loader clusters and Vidar core â 7ed4a256e1d281cb4f194d13ff554fb280dafde0a67a18115ea038ea6c87d, d42595b695fc008ef2c56aabd8efd68e, and other 2 more hashes
Read more: https://unit42.paloaltonetworks.com/vidar-stealer-xmrig-miner-campaign-analysis/