Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

New Malicious Campaign Delivers Vidar Stealer and Monero Crypto Miner

July 9, 2026

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

July 9, 2026

China-Linked APT Expands Proxy Network With New Malware

July 8, 2026
Facebook X (Twitter) Instagram
Thursday, July 9
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»New Malicious Campaign Delivers Vidar Stealer and Monero Crypto Miner
News

New Malicious Campaign Delivers Vidar Stealer and Monero Crypto Miner

Team-CWDBy Team-CWDJuly 9, 2026No Comments2 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A new cyber-attack targets consumers and small and medium businesses worldwide to both steal sensitive cryptocurrency data and mine Monero, a decentralized cryptocurrency focused on private, untraceable transactions.

The malicious campaign was first detected by Unit 42, the research arm of cybersecurity giant Palo Alto Networks, in April 2026.

Attackers first lure victims via malvertising to pages for downloading files that impersonate cracked versions of copyright-protected software including JustWatch GmbH, a legitimate German streaming guide service, and one that resembles the BleacherReport[.]com certificate.

JustWatch itself has not been compromised, noted the researchers in a report published on July 7.

These files are delivered via password-protected archives with a .bin extension in the filenames, a technique described by Unit 42 as a deliberate choice to bypass email gateway scanning and prevent automated sandbox detonation without the password.

The attackers also employed anti-analysis techniques such as process enumeration and an AMSI bypass where the AmsiScanBuffer function is patched to prevent detection by some types of security software.

The loader then drops and runs both the Vidar infostealer and the XMRig cryptocurrency miner.

Vidar siphons sensitive information from the victim’s environment, like browser credentials, cookies and crypto wallets. Meanwhile, XMRig mines Monero, utilizing the victim computer’s processor to solve complex mathematical problems to verify network transactions and secure the blockchain, an action rewarded with freshly minted Monero coins.

“The operator behind this campaign runs a dual-monetization scheme. Criminals sell credentials and session cookies stolen by Vidar stealer on criminal log markets, while XMRig provides passive income from hijacked victim CPU cycles,” explained the Unit 42 researchers.

Unit 42 found 99 samples of the loader, all showing evidence that the attackers used the Factory-v3 framework, a well-known malware-as-a-service (MaaS) builder used for different families of stealer malware.

This builder is assessed to be a separate upstream service used by at least two distinct known infostealer affiliates.

The researchers also discovered the attackers used Telegram for command-and-control (C2) communication. The tag ‘X3D MINER’ appeared in Telegram operator notifications sent for every new victim infection, a behavior that has been associated to a known threat group previously observed delivering XMRig and binding XMRig with other programs.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleFortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
Team-CWD
  • Website

Related Posts

News

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

July 9, 2026
News

China-Linked APT Expands Proxy Network With New Malware

July 8, 2026
News

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

July 8, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Here’s what you should know

February 6, 2026

Find your weak spots before attackers do

November 21, 2025

AI-powered financial scams swamp social media

September 11, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.