Unit 42 documents a financially motivated affiliate, tracked by the operator moniker X3D MINER, running a Vidar stealer malware as a service operation that pairs credential theft with cryptocurrency mining against consumers and small and medium sized businesses across the United States and the European Union. The loaders are produced by a commercial builder framework called Factory-v3, which stamps a unique build into every sample so that no two victims receive an identical binary, a deliberate move to defeat hash based detection and blunt intelligence sharing. The same builder, toolchain, and code signing infrastructure also underpin a concurrent Lumma stealer campaign, which points to a shared criminal supply chain rather than a single bespoke tool.
Access begins with malvertising that steers users searching for pirated or cracked software toward pages serving password protected archives, a packaging choice that frustrates email gateway scanning and automated sandbox detonation. The extracted loader leans heavily on evasion before any payload runs: it carries a rogue code signature that impersonates a recognizable brand so the signing dialog looks reassuring even though the binary is untrusted, and it inflates itself with hundreds of megabytes of null bytes so that size capped sandboxes silently skip it. Once executing, the loader decrypts its embedded configuration and neutralizes in memory scanning by patching the Antimalware Scan Interface so that subsequent script and payload activity is never inspected.
The operator then establishes triple redundant persistence, registering an autostart entry, a logon scheduled task, and a startup script that each relaunch a loader copy renamed to blend in with genuine Windows and Windows Defender components staged in a user writable application data directory. From that foothold the loader delivers two payloads with complementary revenue models: Vidar harvests browser credentials, session cookies, and cryptocurrency wallet material and packages them for exfiltration to attacker infrastructure, while XMRig quietly mines Monero using victim processor time and loads a kernel driver to raise its yield. Victim geolocation and a per host identifier are beaconed to a Telegram channel so the operator can triage fresh logs in real time.
A distinctive tradecraft element is the loader's reuse of Windows Defender service and updater names for its persistence binaries, placing files that carry trusted sounding names in directories where those genuine binaries never live, so that a casual review of running processes or autostart entries reads as routine system maintenance rather than an active compromise.
IOCs (50)
Scan your environment for IOCs →IP ADDRESS 4
136.243.203.109136.243.203.111138.199.246.13116.203.243.208DOMAIN 1
pool.supportxmr.comSHA256 FILE HASH 45
097a87cfa4a5186aba3bba096866692951bde59c6f0c2e8c1c4a599246d14da8201594c9d173bba6cb509407ecba378c19b93da0a81a2182a913c480e6dbb54e20bf39e1e67152039e70a01ad9e7b23c08d23d2a724ef9c44903f3d4353a227535dde1b2482b12582820a861e7c46f10721af6b75052fc872c05d2230a4e8ca143920ef7d2742d140a1ab2a1ef172c716903474c73561377dc4f1534d2c5f58147d6d1a38534ba897a5a1e293e3d5df303bbd8e0526e756ad08887ffc1417bef68ced9d7c1b1ff8ffb5f56c7d3f849d4fd16a1b95324426811424b40043d6d256b7ff061eebeb9ead8812c410247768a7ba90786aeeb1bafa6412cc5b08237b5739cdedb20de39aeb1f15dc8c2dbbf15fa993250fd879bf87443ff9aeaf4997b74df77b6a83d89fa137fd285a2efde36b1d62c00b3be81cc93df7d1e6e94837b8b40cc7d173efd27fb60f3d260acef28f58d67d1f39597e1d611db311a305f629656d3301f63ef6114289739a1c44082206298f787238fc6c190ad87eab247519b3df1b6c1b98c201de09a7719066f7bcae6b66a3173b703a617f53fddf67d51a17a972a05afe387ed32aa2986d5be8bca2f22619d0aedfa834c6963abfab3bfa4f979b4a5d7bc8bc455dd4c09b44e51a389576fccce35a2c8da3ce680237565a64843ebfbc39e96ec7613003b1b5c3a9b878874ea15a05e1d34ce91781ebfb6aaa2bc1128d8b8b2da76262bf87ede19bac053cca6576efba6aaa71c9438c304b830f043076a12748b6a2dc0810ece85439ee77434d991ae7d84201b09ead756bb30cc2b302d9a6963109b201b78d4163bb6c2d7bc8bf5a66e9a744b62fc2717c328b78c21060e2203ac517833fce41572b91878e187f85fa434cd6914659834c7a4a547eb7f6b0b4b75bb6dd8955244bb2618ba234ae740cdedd7c2d30e3465d384c403c084967d8c967501ee6332b050af04ef424f13a3f5a88d155389d98cd6446f2803444bd2200d48a01a9ad7d487e67e8e831c9cd13f89cbfec17fd4e2d7c9c9469c513c05aa431fae34f414f91fcf3f794d3e76b6e4d0b92c4cd3ff2ed8c1f96107a3349e62b3ab9afc60f62af9c89b6961b637a26b71e1230f2b3b8af0dcb7e407de85d8de8e2221df8dddecac8aec88af8975c9f07e14100f6edb880a6a67a2fc4d79ec1cd8afc5b8b7a5e69a406e53d57a7334e097c5d0644de5f6488d941b7b4428b0f4a0e5495e3857b9b96215fb3e7f164b06640d59096425e65d7324d8b5a25f862ef8223c6766d0e80af3ad168e17312b265e13a3a68e0ded7720e83c02a027d70ae201c393c1956aa2fa8199879a3a4c4fd1d20b03022cfd7e49da0ae2f81e14841f356b4d69f0480c2d9ce3fab5a3fa91b0036d9a36fa0fb8b5f6991a3a61083461d5269245bebf28b90934c328848ba8c1e084a5a6216cb927d265fa29e471c1ae0d31516e480c09c0fb17f480ad08ea8d5b73e84b7a1bb9b6893fa6b04ee8daa29e515c08239ac5204af1a1fa2bc10006eede1b41329bc7c37a973b14edd5b6b2da4a1497c593e43640735ff54aecc9a3288fa5e548e3d2148a458da46e81702136aa915312d360805f083d1f37ff5531db9fbdb8ad6dd7b56818c829960b692de9ad5a14e52669d953e9f074f7218c3fe34ede4a11a0db2a872f712fbdb1e347d06e29a9ed8278d86710ffc14ff04422be76e47124f4e9e5e748ec5c0b811c8e60b0e55059edb4d2df86ff3ca45969e57d5fecb11a3803e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7914c18a04a2727bba9cecab78a1d516ec3c7a3f667e0e5a6081aa0e9206a69fed78082dc33c6dca98316e865efa9829c6eb5a97c2ca3cd4ea6c2123a5f6ae45b15489bcd6e4602b41c9a787ec8d7ab027d5e45d400938048bb1c702ad5937980169a330353e53a409e0109c914404354741ff1e1c64e501738dc05e58ea92abc2a02ec4af5ed591afdf1236a443e3b68642ee133f38a2857d1eada51246ab498Detections (10)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- Scheduled Task Persistence Executing a Binary From Roaming AppData Temp
- Registry Run Key Referencing an Executable in Roaming AppData Temp
- Startup Folder Persistence Script Created by a Non Shell Process
- Windows Defender Component Binary Written To a User Writable Directory
- Non Browser Process Reading Multiple Browser Credential Stores
- In Memory AMSI Patch via AmsiScanBuffer Overwrite
- Oversized PE With Null Byte Padding for Sandbox Evasion
- Outbound Geolocation Lookup to an IP Geolocation Service From a Non Browser Process