← All briefs
high July 16, 2026

Vidar Stealer and XMRig X3D MINER Cracked Software Campaign

Source report →

Unit 42 documents a financially motivated affiliate, tracked by the operator moniker X3D MINER, running a Vidar stealer malware as a service operation that pairs credential theft with cryptocurrency mining against consumers and small and medium sized businesses across the United States and the European Union. The loaders are produced by a commercial builder framework called Factory-v3, which stamps a unique build into every sample so that no two victims receive an identical binary, a deliberate move to defeat hash based detection and blunt intelligence sharing. The same builder, toolchain, and code signing infrastructure also underpin a concurrent Lumma stealer campaign, which points to a shared criminal supply chain rather than a single bespoke tool.

Access begins with malvertising that steers users searching for pirated or cracked software toward pages serving password protected archives, a packaging choice that frustrates email gateway scanning and automated sandbox detonation. The extracted loader leans heavily on evasion before any payload runs: it carries a rogue code signature that impersonates a recognizable brand so the signing dialog looks reassuring even though the binary is untrusted, and it inflates itself with hundreds of megabytes of null bytes so that size capped sandboxes silently skip it. Once executing, the loader decrypts its embedded configuration and neutralizes in memory scanning by patching the Antimalware Scan Interface so that subsequent script and payload activity is never inspected.

The operator then establishes triple redundant persistence, registering an autostart entry, a logon scheduled task, and a startup script that each relaunch a loader copy renamed to blend in with genuine Windows and Windows Defender components staged in a user writable application data directory. From that foothold the loader delivers two payloads with complementary revenue models: Vidar harvests browser credentials, session cookies, and cryptocurrency wallet material and packages them for exfiltration to attacker infrastructure, while XMRig quietly mines Monero using victim processor time and loads a kernel driver to raise its yield. Victim geolocation and a per host identifier are beaconed to a Telegram channel so the operator can triage fresh logs in real time.

A distinctive tradecraft element is the loader's reuse of Windows Defender service and updater names for its persistence binaries, placing files that carry trusted sounding names in directories where those genuine binaries never live, so that a casual review of running processes or autostart entries reads as routine system maintenance rather than an active compromise.

IP ADDRESS 4
136.243.203.109
136.243.203.111
138.199.246.13
116.203.243.208
DOMAIN 1
pool.supportxmr.com
SHA256 FILE HASH 45
097a87cfa4a5186aba3bba096866692951bde59c6f0c2e8c1c4a599246d14da8
201594c9d173bba6cb509407ecba378c19b93da0a81a2182a913c480e6dbb54e
20bf39e1e67152039e70a01ad9e7b23c08d23d2a724ef9c44903f3d4353a2275
35dde1b2482b12582820a861e7c46f10721af6b75052fc872c05d2230a4e8ca1
43920ef7d2742d140a1ab2a1ef172c716903474c73561377dc4f1534d2c5f581
47d6d1a38534ba897a5a1e293e3d5df303bbd8e0526e756ad08887ffc1417bef
68ced9d7c1b1ff8ffb5f56c7d3f849d4fd16a1b95324426811424b40043d6d25
6b7ff061eebeb9ead8812c410247768a7ba90786aeeb1bafa6412cc5b08237b5
739cdedb20de39aeb1f15dc8c2dbbf15fa993250fd879bf87443ff9aeaf4997b
74df77b6a83d89fa137fd285a2efde36b1d62c00b3be81cc93df7d1e6e94837b
8b40cc7d173efd27fb60f3d260acef28f58d67d1f39597e1d611db311a305f62
9656d3301f63ef6114289739a1c44082206298f787238fc6c190ad87eab24751
9b3df1b6c1b98c201de09a7719066f7bcae6b66a3173b703a617f53fddf67d51
a17a972a05afe387ed32aa2986d5be8bca2f22619d0aedfa834c6963abfab3bf
a4f979b4a5d7bc8bc455dd4c09b44e51a389576fccce35a2c8da3ce680237565
a64843ebfbc39e96ec7613003b1b5c3a9b878874ea15a05e1d34ce91781ebfb6
aaa2bc1128d8b8b2da76262bf87ede19bac053cca6576efba6aaa71c9438c304
b830f043076a12748b6a2dc0810ece85439ee77434d991ae7d84201b09ead756
bb30cc2b302d9a6963109b201b78d4163bb6c2d7bc8bf5a66e9a744b62fc2717
c328b78c21060e2203ac517833fce41572b91878e187f85fa434cd6914659834
c7a4a547eb7f6b0b4b75bb6dd8955244bb2618ba234ae740cdedd7c2d30e3465
d384c403c084967d8c967501ee6332b050af04ef424f13a3f5a88d155389d98c
d6446f2803444bd2200d48a01a9ad7d487e67e8e831c9cd13f89cbfec17fd4e2
d7c9c9469c513c05aa431fae34f414f91fcf3f794d3e76b6e4d0b92c4cd3ff2e
d8c1f96107a3349e62b3ab9afc60f62af9c89b6961b637a26b71e1230f2b3b8a
f0dcb7e407de85d8de8e2221df8dddecac8aec88af8975c9f07e14100f6edb88
0a6a67a2fc4d79ec1cd8afc5b8b7a5e69a406e53d57a7334e097c5d0644de5f6
488d941b7b4428b0f4a0e5495e3857b9b96215fb3e7f164b06640d59096425e6
5d7324d8b5a25f862ef8223c6766d0e80af3ad168e17312b265e13a3a68e0ded
7720e83c02a027d70ae201c393c1956aa2fa8199879a3a4c4fd1d20b03022cfd
7e49da0ae2f81e14841f356b4d69f0480c2d9ce3fab5a3fa91b0036d9a36fa0f
b8b5f6991a3a61083461d5269245bebf28b90934c328848ba8c1e084a5a6216c
b927d265fa29e471c1ae0d31516e480c09c0fb17f480ad08ea8d5b73e84b7a1b
b9b6893fa6b04ee8daa29e515c08239ac5204af1a1fa2bc10006eede1b41329b
c7c37a973b14edd5b6b2da4a1497c593e43640735ff54aecc9a3288fa5e548e3
d2148a458da46e81702136aa915312d360805f083d1f37ff5531db9fbdb8ad6d
d7b56818c829960b692de9ad5a14e52669d953e9f074f7218c3fe34ede4a11a0
db2a872f712fbdb1e347d06e29a9ed8278d86710ffc14ff04422be76e47124f4
e9e5e748ec5c0b811c8e60b0e55059edb4d2df86ff3ca45969e57d5fecb11a38
03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7
914c18a04a2727bba9cecab78a1d516ec3c7a3f667e0e5a6081aa0e9206a69fe
d78082dc33c6dca98316e865efa9829c6eb5a97c2ca3cd4ea6c2123a5f6ae45b
15489bcd6e4602b41c9a787ec8d7ab027d5e45d400938048bb1c702ad5937980
169a330353e53a409e0109c914404354741ff1e1c64e501738dc05e58ea92abc
2a02ec4af5ed591afdf1236a443e3b68642ee133f38a2857d1eada51246ab498

Detections (10)

Enable detections →

Connect your environment for suggestions and queries personalized to your security telemetry.

  • Potential Mpclient.DLL Sideloading Via Defender Binaries
  • Scheduled Task Persistence Executing a Binary From Roaming AppData Temp
  • Registry Run Key Referencing an Executable in Roaming AppData Temp
  • Startup Folder Persistence Script Created by a Non Shell Process
  • Windows Defender Component Binary Written To a User Writable Directory
  • Non Browser Process Reading Multiple Browser Credential Stores
  • In Memory AMSI Patch via AmsiScanBuffer Overwrite
  • Oversized PE With Null Byte Padding for Sandbox Evasion
  • Outbound Geolocation Lookup to an IP Geolocation Service From a Non Browser Process