In a clandestine operation that underscores the evolving sophistication of cybercrime, Unit 42 researchers at Palo Alto Networks have unmasked a financially motivated campaign delivering the Vidar stealer alongside the XMRig cryptocurrency miner. This deleterious campaign, identified in April 2026 and detailed in a report published on July 7, 2026, primarily targets consumers and small-to-medium businesses across the United States and the European Union. The Anatomy of the Attack: Malvertising and Fake Software The threat actors initiate their intrusion via malvertising, luring victims to fraudulent domains that impersonate legitimate software repositories. These pages offer pirated or "cracked" versions of copyrighted applications. Upon execution, the payload initiates a dual-threat sequence: the Vidar stealer commences the exfiltration of sensitive information—including browser credentials, session cookies, and cryptocurrency wallet keys—while XMRig silently hijacks the host's computational resources to mine Monero. Code Signing Abuse and Rogue Certificates Perhaps the most subterfuge-laden aspect of this campaign is the abuse of Authenticode code signing. The loader binaries are signed with a fabricated certificate impersonating JustWatch GmbH, a legitimate German streaming guide service. While the certificate is self-signed and not chained to a Microsoft-trusted root—meaning Windows SmartScreen will ultimately flag it—the visual presence of a recognizable corporate name in the signature dialog is a psychological ruse sufficient to deceive many inattentive users into proceeding with the execution. File Inflation: Evading the Sandbox To circumvent automated analysis, the operators employ a technique known as file-size inflation. The loader appends hundreds of megabytes of null bytes after the final PE section, artificially inflating the file size to as much as 491 MB. Since most automated sandbox environments enforce an upper file-size limit of 50 to 100 MB, they silently skip these oversized submissions, allowing the covert malware to evade detonation. The actual malicious payload is a mere 2.3 MB, compressing to approximately 2.4 MB, highlighting the obfuscation tactics used to blind defenders. The Factory-v3 Framework Embedded Go build metadata reveals that the loaders are constructed using the Factory-v3 (internally named UpdateFactory) framework, a Malware-as-a-Service (MaaS) builder. This framework generates unique binaries with per-build hashes and employs rigorous anti-forensic measures, such as zeroing the PE TimeDateStamp, omitting PE version info, and restricting DLL imports solely to kernel32.dll. The proliferation of such MaaS frameworks drastically lowers the barrier to entry for aspiring cybercriminals, enabling the rapid scaling of these ubiquitous threats.
Strategic mitigation for Defenders
- Security tooling must be configured to strip null byte padding before applying file-size limits to ensure sandbox detonation.
- Organizations should enforce strict application whitelisting and educate users on the perils of downloading cracked software.
- Network defenders must monitor for anomalous outbound traffic indicative of credential exfiltration and unauthorized cryptocurrency mining.
As no official social media post from the Unit 42 or Palo Alto Networks accounts was immediately available for this specific publication, we suggest referring to the official Unit 42 press release and technical analysis for the primary source data and indicators of compromise.