Unit 42 Uncovers Vidar Stealer Campaign Using Novel Evasion Techniques, Including Go-Based Loaders and DLL Sideloading

Vidar Stealer Campaign Uses Fake Code Signing, Go Loaders, and File Inflation to Evade Detection

HIGH
July 8, 2026
10m read
MalwareThreat IntelligenceThreat Actor

Related Entities

Products & Tech

Windows DefenderGoMonero

Other

Vidar XMRigJustWatch GmbHFactory-v3Lumma Stealer

Full Report

Executive Summary

A financially motivated cybercrime campaign, active since at least April 2026, is distributing the Vidar information stealer and the XMRig cryptominer. The campaign, analyzed by Unit 42, targets consumers and small- to medium-sized businesses (SMBs), with a primary focus on victims in the United States and the European Union. The threat actors employ a sophisticated, multi-stage attack chain featuring a combination of novel and established evasion techniques. These include the use of a Go-based loader framework called Factory-v3, abuse of Authenticode signing with fabricated certificates, DLL Sideloading, massive file inflation to bypass sandboxes, and an in-memory Antimalware Scan Interface (AMSI) bypass. This combination of tactics demonstrates the operator's commitment to evading both automated and manual security analysis.


Threat Overview

In April 2026, researchers observed a significant spike in activity associated with a campaign delivering Vidar stealer, a well-known malware family designed to steal sensitive information such as browser credentials, cookies, and cryptocurrency wallets. Alongside Vidar, the attackers deploy XMRig to covertly use victim system resources for mining Monero cryptocurrency. The campaign's operator is assessed to be an affiliate of a Malware-as-a-Service (MaaS) platform, leveraging the Factory-v3 loader builder.

The initial attack vector is malvertising, where victims searching for pirated or cracked versions of copyrighted software are redirected to malicious download pages. The malware is packaged in password-protected archives with .bin extensions, a tactic designed to evade email gateway scanners and require manual interaction for execution. Upon running the initial loader, both the Vidar stealer and XMRig miner are dropped and executed on the victim's machine.

Technical Analysis

The campaign's technical sophistication lies in its layered evasion and delivery mechanisms.

Loader Framework: Factory-v3

Analysis of 43 loader samples revealed the use of the Factory-v3 framework, a MaaS builder known for distributing various stealer malware families. All samples contained embedded Go build metadata, including a developer path (C:\Users\Administrator\Desktop\UpdateFactory\compiler\1.25.9\go\src\runtime\cgo) that exposes the builder's internal name, UpdateFactory. This framework generates a unique binary for each build, effectively defeating simple hash-based detection methods.

Evasion Technique 1: Code Signing Abuse

T1553.002 - Code Signing The loaders are signed with a fabricated Authenticode certificate impersonating JustWatch GmbH, a legitimate German company. The attackers created a self-signed root Certificate Authority (CA) to issue this certificate. While this signature is not trusted by Microsoft Windows and will trigger a security warning, the presence of a recognizable brand name in the signature dialog may be enough to trick unsuspecting users into trusting and executing the file.

Evasion Technique 2: DLL Sideloading

T1574.002 - DLL Side-Loading A subset of the loader samples are DLLs that export functions from the legitimate Windows Defender file MpClient.dll. By naming the malicious file MpClient.dll and placing it in a directory that is searched before the legitimate system directory, the attackers can hijack the execution flow. When a legitimate Windows Defender process attempts to load its library, it loads the malicious version instead, which then executes the malware's main logic.

Evasion Technique 3: File Inflation

T1497.001 - System Checks To evade automated analysis in sandboxes, which often have file size limits (typically 50-100 MB), the attackers append hundreds of megabytes of null bytes to the loader binaries. One sample was inflated to 491 MB, while the actual malicious payload was only 2.3 MB. This simple trick causes many security tools to skip analysis of the file altogether.

Evasion Technique 4: AMSI Bypass

T1562.001 - Impair Defenses: Disable or Modify Tools The core Vidar payload (7ed4a256e1d281cb4f194d13ff554fb280dafde0a67a18115ea038ea6c87d) contains an in-memory AMSI bypass. Before executing its primary stealing functions, the malware loads amsi.dll, finds the AmsiScanBuffer function, and overwrites its initial bytes with a patch that forces it to immediately return an error (E_INVALIDARG). This effectively disables AMSI for the current process, allowing subsequent malicious scripts and code to run without being scanned. The strings amsi.dll and AmsiScanBuffer are XOR-obfuscated to evade static detection.

Impact Assessment

The primary impact on victims is financial. The theft of browser credentials, session cookies, and cryptocurrency wallet data can lead to unauthorized access to bank accounts, social media, email, and crypto funds. The deployment of the XMRig miner results in increased electricity consumption, degraded system performance, and potential hardware damage from sustained high utilization. For small businesses, a compromise could lead to a more significant data breach, operational disruption, and reputational harm.

IOCs — Directly from Articles

Type
file_hash_sha256
Value
7ed4a256e1d281cb4f194d13ff554fb280dafde0a67a18115ea038ea6c87d
Description
Vidar core payload sample.
Type
certificate_subject
Value
CN=justwatch[.]com
Description
Subject of the fabricated Authenticode certificate used to sign the loaders.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns which could indicate related activity:

Type
file_path
Value
C:\Users\Administrator\Desktop\UpdateFactory\*
Description
PDB path artifacts associated with the Factory-v3 builder.
Type
file_name
Value
MpClient.dll
Description
Look for this file in non-standard locations (e.g., user download folders) or with suspicious properties (unsigned, unusual size/hash).
Type
process_name
Value
MsMpEng.exe
Description
Monitor for this process loading a MpClient.dll from an application directory instead of the system directory.
Type
network_traffic_pattern
Value
stratum+tcp://*
Description
Network connections to Monero mining pools, characteristic of XMRig.
Type
file_properties
Value
Authenticode signature with untrusted root CA
Description
Binaries signed with certificates that do not chain up to a trusted root, especially those impersonating known brands.

Detection & Response

  1. Endpoint Detection: Deploy EDR solutions capable of detecting in-memory threats. Monitor for processes that load amsi.dll and subsequently write to its memory space. Create rules to detect the specific patch bytes used to bypass AmsiScanBuffer.
  2. DLL Sideloading Detection: Monitor for legitimate, signed processes (like those from Windows Defender) loading unsigned or suspiciously located DLLs. Use Sysmon event ID 7 (Image Loaded) to track DLL loads and correlate them with process creation events.
  3. File Analysis: Ensure security sandboxes and scanners are configured to handle large files or, preferably, to strip null-byte padding before applying size limits. A 491 MB file that compresses to 2.4 MB is highly suspicious.
  4. Network Monitoring: Monitor and block outbound traffic to known cryptocurrency mining pools. The presence of Stratum protocol traffic is a strong indicator of an unauthorized miner.
  5. Code Signing Policy: Implement application control policies (e.g., AppLocker, WDAC) that enforce strict code signing validation, preventing the execution of binaries signed by untrusted CAs.

Mitigation

  • User Education: Train users to recognize the risks of downloading and executing files from untrusted sources, particularly pirated software, and to be wary of security warnings, even if a familiar brand name is present.
  • Application Control: Implement application whitelisting or strict execution policies to prevent unauthorized applications from running. This is a highly effective defense against malware delivered via user-executed files.
  • Email and Web Filtering: Block password-protected archives at the email gateway. Use web filtering to block access to known malvertising networks and high-risk site categories.
  • Endpoint Hardening: Ensure EDR and antivirus solutions are active and configured for behavioral detection. Keep all software, especially security products and operating systems, up to date.
  • Least Privilege: Enforce the principle of least privilege for user accounts to limit the potential impact of a compromise.

Timeline of Events

1
April 1, 2026
Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and XMRig miner, with a notable spike in activity from mid-late April 2026.
2
July 8, 2026
This article was published

MITRE ATT&CK Mitigations

Use application control solutions to restrict the execution of unauthorized binaries, which would prevent the initial loader from running.

Educate users about the dangers of downloading and running software from untrusted sources, such as pirated software sites.

Enforce policies that only allow execution of binaries signed by a trusted and valid Certificate Authority, which would block the self-signed malware.

Utilize EDR tools to monitor for suspicious behaviors like DLL sideloading and in-memory patching of critical security functions like AMSI.

Keep AV/AM signatures up-to-date to detect known components like Vidar and XMRig.

Use web filtering to block access to malvertising networks and websites hosting illegal/cracked software.

Timeline of Events

1
April 1, 2026

Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and XMRig miner, with a notable spike in activity from mid-late April 2026.

Sources & References

Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation
Unit 42 (unit42.paloaltonetworks.com) July 7, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

VidarXMRigMalvertisingDLL SideloadingAMSI BypassGoFactory-v3Code Signing AbuseFile InflationInformation StealerCryptominer

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.