What happened
Researchers from Palo Alto Networks Unit 42 have uncovered a financially motivated malware campaign that targets consumers and small to midsize businesses (SMBs) through malicious online advertisements. The campaign tricks victims into downloading what appear to be cracked versions of popular software but instead delivers the Vidar infostealer alongside the XMRig cryptocurrency miner.
According to Unit 42 researchers Bharath Nannaka and Pranay Kumar Chhaparwal, attackers use password-protected archives, fake software installers, and multiple evasion techniques to bypass traditional security controls. Once executed, a Go-based malware loader disables security scanning, installs Vidar to steal sensitive information, and launches XMRig to mine Monero cryptocurrency using the victim’s CPU.
The researchers also observed the use of the Factory-v3 malware framework, which generates unique malware builds to make detection more difficult. Additional evasion methods include oversized files, fake digital certificates, and persistence mechanisms that allow the malware to survive system reboots.
Who is affected
The campaign primarily targets consumers and SMBs worldwide, particularly organizations whose employees download unauthorized or pirated software. Businesses with limited security monitoring or outdated endpoint protection may be more vulnerable to the campaign’s defense-evasion techniques.
Successful infections can expose browser credentials, session cookies, saved passwords, browsing history, cryptocurrency wallets, and other sensitive information. At the same time, infected devices are used to mine cryptocurrency, increasing resource consumption and potentially affecting system performance.
Why CISOs should care
This campaign highlights how modern malware operators are combining multiple revenue streams within a single attack. Rather than relying on credential theft alone, attackers also generate ongoing income through cryptomining, maximizing the value of each compromised endpoint.
The campaign also demonstrates the continued evolution of malware-as-a-service operations. By using unique malware builds, fake code-signing certificates, AMSI bypasses, and oversized binaries, attackers can reduce the effectiveness of signature-based detection and automated sandbox analysis.
As Denis Calderone noted, many of these techniques appear specifically designed to evade the security controls commonly deployed by SMBs, making layered detection and continuous monitoring increasingly important.
3 practical actions
- Block or restrict downloads of unauthorized and cracked software through web filtering and acceptable-use policies.
- Configure endpoint security tools to inspect large files, validate code-signing certificates, and monitor for suspicious persistence techniques such as Registry Run keys and scheduled tasks.
- Review the indicators of compromise published by Unit 42 and immediately block known command-and-control infrastructure while monitoring for unusual credential theft and cryptomining activity.
The post Vidar Malware Campaign Uses Fake Software Downloads to Steal Credentials and Mine Cryptocurrency appeared first on CISO Whisperer.
*** This is a Security Bloggers Network syndicated blog from CISO Whisperer authored by John Joseph Javier. Read the original post at: https://cisowhisperer.com/vidar-malware-campaign-uses-fake-software-downloads-to-steal-credentials-and-mine-cryptocurrency/
