A cybercrime crew is disguising malware as cracked software to infect bargain hunters with the Vidar infostealer and a hidden cryptocurrency miner, netting both stolen passwords and free computing power. Unit 42, Palo Alto Networks' research team, says the campaign spiked from mid to late April 2026 and mainly hit consumers and small businesses across the United States and European Union.
How the attack works
Victims searching for pirated apps are steered by malicious ads (malvertising) to download pages serving password-protected archives with a .bin extension, a deliberate choice to slip past email scanners and automated malware sandboxes. Inside is a loader that drops both Vidar, which steals browser passwords, cookies, and cryptocurrency wallets, and XMRig, which quietly mines Monero on the victim's processor. IntelFusions has tracked similar fake-software lures pushing Vidar through TikTok posts and bogus job applications.
Layers built to dodge detection
Unit 42 researchers Bharath Nannaka and Pranay Kumar Chhaparwal detail an unusually deep stack of evasion tricks. The loaders are built with a malware-as-a-service framework called Factory-v3, which generates a unique binary per build (27 distinct build IDs across 43 samples) to defeat hash-based blocking. Each one is signed with a fake code-signing certificate impersonating a real company, first the German streaming guide JustWatch, later the sports site Bleacher Report. Neither firm was compromised. The certificates are forged and do not chain to a trusted root, but the recognizable brand name in the signature dialog is often enough to convince a victim to proceed.
The files are also inflated with hundreds of megabytes of empty padding, pushing some as large as 491 MB, because most sandboxes skip oversized submissions. The real payload in the biggest sample is just 2.3 MB. Once running, an in-memory trick patches Windows Antimalware Scan Interface (AMSI) to blind script-based defenses before the stealer executes.
What to watch for
The malware copies itself as NisSrv.exe, mimicking a genuine Windows Defender component, and persists through a registry Run key, a scheduled task, and a startup folder script all named SystemAgentService. Operators are pinged over Telegram with alerts tagged "X3D MINER" for every new infection, a moniker tied to a group that bundles XMRig with other malware. Vidar exfiltrates stolen data to 136[.]243[.]203[.]109, while XMRig mines to pool[.]supportxmr[.]com.
Unit 42 recommends enforcing strict code-signing checks, blocklisting the fraudulent certificate serials, configuring security tools to scan files regardless of size, and watching for MpClient.dll loading from unusual paths. Additional command-and-control addresses seen in a later variant include 138[.]199[.]246[.]13, 116[.]203[.]243[.]208, and 136[.]243[.]203[.]111. Read the full Unit 42 analysis for indicators and detection guidance.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.