VYPR
researchPublished Jul 7, 2026· 1 source

Vidar Stealer Campaign Leverages Code Signing Abuse and File Inflation for Evasion

A financially motivated cybercrime campaign is distributing the Vidar stealer and XMRig miner by employing sophisticated evasion techniques, including code signing abuse and file-size inflation.

Researchers have uncovered a widespread cybercrime campaign actively distributing the Vidar information stealer and the XMRig cryptocurrency miner. This operation, primarily targeting consumers and small to medium-sized businesses in the U.S. and European Union, lures victims through malvertising that impersonates cracked software. Upon execution, a loader binary deploys both the Vidar stealer, which targets sensitive data such as browser credentials and crypto wallets, and the XMRig miner, used for Monero cryptocurrency mining.

The campaign's operators are believed to be affiliates of a Vidar stealer Malware-as-a-Service (MaaS) provider. Analysis of the loader binaries revealed they are built using the Factory-v3 framework, also known as UpdateFactory. This builder generates unique binaries for each build, employing custom Go programming language tools and incorporating anti-forensic measures like zeroed PE TimeDateStamps and reduced DLL imports to hinder detection. The use of the same builder and certificate infrastructure for concurrent Lumma stealer campaigns suggests Factory-v3 is a versatile service catering to multiple stealer affiliates.

A key evasion tactic employed by the attackers is the abuse of code signing. The loader binaries are digitally signed with an Authenticode certificate that falsely impersonates JustWatch GmbH, a legitimate streaming guide service. Although this fabricated certificate is not trusted by Windows, its recognizable branding is intended to deceive unsuspecting users into bypassing security warnings. This technique highlights a common strategy of leveraging legitimate-sounding digital identities to gain user trust.

The malware distribution involves password-protected archives with a .bin extension, designed to circumvent email gateway scanning and automated sandbox analysis. Upon extraction, the loader binaries exhibit significant file-size inflation, with hundreds of megabytes of null bytes appended to the end of the file. This tactic aims to exceed the file-size limits imposed by many automated analysis environments, preventing the malware from being executed and analyzed.

Further analysis identified four distinct clusters of loader samples, including executable loaders and DLL variants. Notably, some DLL samples mimic Windows Defender's MpClient.dll API functions. These are designed to be vulnerable to DLL search-order hijacking, allowing the malicious DLL to be loaded by legitimate Windows Defender processes if placed in a higher-priority search path, thereby evading detection.

The campaign saw a notable increase in activity in mid-to-late April 2026, with researchers identifying 43 unique loader binaries. The use of the Factory-v3 builder, custom Go toolchain, and sophisticated evasion techniques like file-size inflation and rogue code signing demonstrates a high level of technical proficiency among the threat actors. This campaign underscores the evolving tactics used by financially motivated cybercriminals to deliver information stealers and cryptocurrency miners.

Palo Alto Networks products such as Cortex XDR, XSIAM, Advanced WildFire, and Advanced URL Filtering provide protection against the threats detailed in this campaign. Organizations that suspect compromise or require immediate assistance can contact the Unit 42 Incident Response team.

Synthesized by Vypr AI