Vidar campaign hides miner behind fake software

Cybercriminals are using fake cracked-software downloads to infect consumers and smaller businesses with a double payload that steals credentials and mines Monero, underscoring how commodity malware operators are combining immediate data theft with longer-running attempts to profit from compromised machines.

The campaign delivers Vidar, a widely used information stealer, alongside XMRig, an open-source cryptocurrency miner often abused in cryptojacking attacks. Victims are lured through malvertising into downloading password-protected archives that appear to contain pirated versions of commercial software. Once opened and executed, the loader deploys both tools, giving attackers access to browser credentials, cookies and cryptocurrency wallet data while also diverting computing power to mine Monero.

Security researchers have linked the activity to a Vidar malware-as-a-service affiliate targeting users and organisations mainly in the United States and the European Union. The campaign showed a visible spike from mid to late April 2026, with dozens of related loader samples identified. The choice of cracked-software lures points to a familiar but effective channel: users searching for unauthorised copies of paid applications are pushed towards malicious advertisements and download pages that mimic legitimate software distribution.

ADVERTISEMENT

The loader infrastructure reflects a more sophisticated operation than a basic malware dropper. Analysts identified 43 loader samples tied to the campaign, divided across executable and DLL variants. Twenty-six were 64-bit Go-compiled executable loaders, 13 were fake MpClient. dll files designed for DLL sideloading, three were 32-bit Go loaders and one was the Vidar core payload. The repeated use of Go, unique build identifiers and altered file structures suggests an attempt to evade security tools that depend heavily on known hashes or standard file characteristics.

One notable feature is the abuse of code-signing cues. The samples carried Authenticode signatures fabricated to impersonate JustWatch GmbH, a legitimate German streaming guide service. There is no indication that JustWatch itself was compromised. The certificate did not chain to a trusted Microsoft root, meaning Windows should still treat the binary as untrusted. Yet the visual presence of a recognisable brand in a signing dialog can mislead users into accepting a warning and continuing the installation.

The campaign also used file-size inflation to frustrate automated analysis. Some loader binaries were padded with hundreds of megabytes of null bytes, pushing file sizes as high as 491 MB even though the functional malicious content was only a small fraction of that. Many sandboxing systems impose file-size limits of about 50 MB to 100 MB, allowing oversized malware to escape detonation or deeper inspection unless defences strip padding before scanning.

The DLL branch of the campaign relies on search-order hijacking. Malicious MpClient. dll variants mimic exported Windows Defender functions such as MpAllocMemory and MpConfigOpen. If placed in a higher-priority directory, the fake DLL can be loaded by a legitimate process, giving the malware a path to execution while blending into trusted Windows activity. This technique remains attractive to financially motivated actors because it turns normal software behaviour into a delivery mechanism.

Vidar’s role is to harvest valuable data quickly. The stealer is known for targeting browser-stored passwords, cookies, autofill information and crypto wallet material. Such logs are useful for account takeover, fraud, resale on criminal markets and follow-on intrusions. XMRig adds a second revenue stream by quietly using the victim’s processor to mine Monero, a privacy-focused cryptocurrency that has long been favoured in illicit mining because transactions are harder to trace than those involving many other digital assets.

ADVERTISEMENT

The campaign fits a broader pattern in cybercrime. Infostealers have become a core part of the criminal supply chain, feeding markets for stolen credentials and session cookies. Ransomware groups, fraud crews and access brokers all rely on such material to enter systems without noisy exploitation. At the same time, cryptojacking has shifted from crude mining scripts to better-integrated operations with persistence, evasion and command-and-control reporting.

The Vidar sample also contained an in-memory bypass targeting the Windows Antimalware Scan Interface. By patching AmsiScanBuffer, the malware attempts to weaken a key inspection layer before executing further logic. Larger configuration blobs, including Telegram bot material, a Monero wallet address and mining-pool details, were obfuscated with rotating XOR encryption. Telegram-based notification channels are commonly used by criminal operators because they are easy to automate and difficult to police at scale.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com