Unit 42 has published new research on a financially motivated campaign delivering Vidar stealer alongside the XMRig cryptocurrency miner. The campaign is not exotic because it uses a novel zero-day. It is dangerous because it combines several familiar weaknesses defenders still underweight: malvertising, fake cracked-software downloads, misleading code-signing metadata, oversized binaries, and commodity stealer monetization.
According to Unit 42, the activity spiked in April 2026 and primarily targeted victims in the United States and European Union. The lure starts with malvertising that pushes users toward downloads impersonating cracked versions of commercial software. Once executed, the loader drops both Vidar, which targets browser credentials, cookies, and cryptocurrency wallet data, and XMRig, which quietly turns the compromised machine into a Monero mining node.
Original research: Unit 42 — Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation.
Why This Campaign Matters
For SMBs and government contractors, this campaign is a useful reminder that malware risk is not limited to targeted intrusions. A single user searching for unlicensed software, a “free” utility, or a cracked plugin can create the same downstream exposure as a more sophisticated initial-access operation: stolen browser sessions, harvested credentials, cloud account compromise, and persistence on the endpoint.
The noteworthy part is the layering. Unit 42 observed loaders generated with the Factory-v3 framework, unique builds designed to frustrate hash-based detection, binaries padded to hundreds of megabytes, rogue certificate metadata impersonating recognizable brands, and DLL sideloading behavior designed to blend into normal Windows component names. None of those techniques are new by themselves. Together, they create enough friction that weak controls may miss the infection until after data theft has already occurred.
Defensive Takeaways
- Do not trust “signed” at face value. Validate whether the certificate chains to a trusted root and whether the signer actually matches the expected publisher. Visual signer names can be misleading.
- Remove file-size blind spots. Security tooling should not skip scanning merely because a binary is unusually large. Padding with null bytes is a cheap evasion technique.
- Monitor suspicious Windows Defender lookalikes. File names such as
NisSrv.exe,MpClient.dll, andMicrosoftEdgeUpdate.exedeserve scrutiny when they appear outside expected paths. - Block obvious commodity malware infrastructure. Unit 42 identified Vidar C2 infrastructure and XMRig mining activity. Even if the campaign rotates infrastructure, DNS and egress controls can still reduce blast radius.
- Harden browsers and password storage. Vidar’s value comes from stealing browser credentials, cookies, and wallet data. Use password managers, enforce MFA, reduce persistent sessions, and monitor impossible travel or token reuse.
- Treat cracked software as a business risk, not just a policy issue. Application control, least privilege, and user awareness need to explicitly cover pirated tools, “free activators,” and unofficial installers.
Bulwark Black Assessment
This is the kind of campaign that punishes organizations with “good enough” endpoint controls. A user does not need to be specifically targeted by a nation-state actor for the business to lose credentials, session cookies, and sensitive data. Commodity stealer ecosystems have matured into repeatable pipelines: traffic acquisition through malvertising, loader-as-a-service infrastructure, credential theft, and resale through criminal markets.
The practical move is to close the easy gaps. Enforce application allowlisting where possible, tune detections for oversized executables and unusual Authenticode chains, monitor user-writable persistence paths, and restrict outbound traffic from endpoints that have no business talking to mining pools or unfamiliar VPS-hosted C2 servers. For smaller organizations, these controls are often more achievable than chasing every new malware family name.
Vidar is not new. The lesson is that old malware becomes newly effective when wrapped in better delivery, better evasion, and better monetization.
