A financially motivated cybercrime campaign, active since at least April 2026, is distributing the Vidar information stealer and the XMRig cryptominer. The campaign, analyzed by Unit 42, targets consumers and small- to medium-sized businesses (SMBs), with a primary focus on victims in the United States and the European Union. The threat actors employ a sophisticated, multi-stage attack chain featuring a combination of novel and established evasion techniques. These include the use of a Go-based loader framework called Factory-v3, abuse of Authenticode signing with fabricated certificates, DLL Sideloading, massive file inflation to bypass sandboxes, and an in-memory Antimalware Scan Interface (AMSI) bypass. This combination of tactics demonstrates the operator's commitment to evading both automated and manual security analysis.
In April 2026, researchers observed a significant spike in activity associated with a campaign delivering Vidar stealer, a well-known malware family designed to steal sensitive information such as browser credentials, cookies, and cryptocurrency wallets. Alongside Vidar, the attackers deploy XMRig to covertly use victim system resources for mining Monero cryptocurrency. The campaign's operator is assessed to be an affiliate of a Malware-as-a-Service (MaaS) platform, leveraging the Factory-v3 loader builder.
The initial attack vector is malvertising, where victims searching for pirated or cracked versions of copyrighted software are redirected to malicious download pages. The malware is packaged in password-protected archives with .bin extensions, a tactic designed to evade email gateway scanners and require manual interaction for execution. Upon running the initial loader, both the Vidar stealer and XMRig miner are dropped and executed on the victim's machine.
The campaign's technical sophistication lies in its layered evasion and delivery mechanisms.
Analysis of 43 loader samples revealed the use of the Factory-v3 framework, a MaaS builder known for distributing various stealer malware families. All samples contained embedded Go build metadata, including a developer path (C:\Users\Administrator\Desktop\UpdateFactory\compiler\1.25.9\go\src\runtime\cgo) that exposes the builder's internal name, UpdateFactory. This framework generates a unique binary for each build, effectively defeating simple hash-based detection methods.
T1553.002 - Code Signing
The loaders are signed with a fabricated Authenticode certificate impersonating JustWatch GmbH, a legitimate German company. The attackers created a self-signed root Certificate Authority (CA) to issue this certificate. While this signature is not trusted by Microsoft Windows and will trigger a security warning, the presence of a recognizable brand name in the signature dialog may be enough to trick unsuspecting users into trusting and executing the file.
T1574.002 - DLL Side-Loading
A subset of the loader samples are DLLs that export functions from the legitimate Windows Defender file MpClient.dll. By naming the malicious file MpClient.dll and placing it in a directory that is searched before the legitimate system directory, the attackers can hijack the execution flow. When a legitimate Windows Defender process attempts to load its library, it loads the malicious version instead, which then executes the malware's main logic.
T1497.001 - System Checks
To evade automated analysis in sandboxes, which often have file size limits (typically 50-100 MB), the attackers append hundreds of megabytes of null bytes to the loader binaries. One sample was inflated to 491 MB, while the actual malicious payload was only 2.3 MB. This simple trick causes many security tools to skip analysis of the file altogether.
T1562.001 - Impair Defenses: Disable or Modify Tools
The core Vidar payload (7ed4a256e1d281cb4f194d13ff554fb280dafde0a67a18115ea038ea6c87d) contains an in-memory AMSI bypass. Before executing its primary stealing functions, the malware loads amsi.dll, finds the AmsiScanBuffer function, and overwrites its initial bytes with a patch that forces it to immediately return an error (E_INVALIDARG). This effectively disables AMSI for the current process, allowing subsequent malicious scripts and code to run without being scanned. The strings amsi.dll and AmsiScanBuffer are XOR-obfuscated to evade static detection.
The primary impact on victims is financial. The theft of browser credentials, session cookies, and cryptocurrency wallet data can lead to unauthorized access to bank accounts, social media, email, and crypto funds. The deployment of the XMRig miner results in increased electricity consumption, degraded system performance, and potential hardware damage from sustained high utilization. For small businesses, a compromise could lead to a more significant data breach, operational disruption, and reputational harm.
7ed4a256e1d281cb4f194d13ff554fb280dafde0a67a18115ea038ea6c87dCN=justwatch[.]comSecurity teams may want to hunt for the following patterns which could indicate related activity:
C:\Users\Administrator\Desktop\UpdateFactory\*MpClient.dllMsMpEng.exeMpClient.dll from an application directory instead of the system directory.stratum+tcp://*amsi.dll and subsequently write to its memory space. Create rules to detect the specific patch bytes used to bypass AmsiScanBuffer.Use application control solutions to restrict the execution of unauthorized binaries, which would prevent the initial loader from running.
Educate users about the dangers of downloading and running software from untrusted sources, such as pirated software sites.
Enforce policies that only allow execution of binaries signed by a trusted and valid Certificate Authority, which would block the self-signed malware.
Utilize EDR tools to monitor for suspicious behaviors like DLL sideloading and in-memory patching of critical security functions like AMSI.
Keep AV/AM signatures up-to-date to detect known components like Vidar and XMRig.
Use web filtering to block access to malvertising networks and websites hosting illegal/cracked software.
Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and XMRig miner, with a notable spike in activity from mid-late April 2026.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.