Malware News Unit 42 Researchers exposed a new Vidar campaign using a loader-as-a-service framework, DLL sideloading with a Go-compiled fake MpClient.dll.

Khushal

Level 16
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
742
4,915
1,469

Executive Summary​

1783484058146.png

In April 2026, Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small- and medium-sized business victims worldwide.

Attackers lure victims via malvertising to pages for downloading files that impersonate cracked versions of copyright-protected software. Upon execution, the loader drops and runs both Vidar stealer and XMRig. Vidar stealer targets information like browser credentials, cookies and crypto wallets. XMRig mines Monero cryptocurrency.

We assess the operator of the campaign to be a Vidar stealer malware-as-a-service (MaaS) affiliate involved in operations targeting victims in the U.S. and European Union. This article provides a technical analysis of the campaign.
 
Note on the Report Date

The linked article references April 2026, which is ahead of my current knowledge cutoff. I cannot verify the specific claims, indicators, or attribution in that report, so I would treat the technical details as unconfirmed until independently corroborated by other researchers or the vendor's own follow-up.

What Is Generally Known About Vidar Stealer

  • Vidar is a long-running information stealer sold as malware-as-a-service (MaaS), typically distributed via cracked software, malvertising, and fake installer sites.
  • It commonly targets browser-stored credentials, cookies, autofill data, and cryptocurrency wallet files.
  • It has historically used legitimate platforms (Telegram channels, cloud storage) for command-and-control or configuration retrieval.

What Is Generally Known About XMRig

  • XMRig is an open-source Monero mining tool that is frequently abused by threat actors when bundled silently with other malware.
  • Its presence alongside a stealer is a known pattern: the attacker monetizes the infection twice, once through stolen data and once through mining on the victim's hardware.

Why This Pairing Makes Sense Operationally

Bundling a stealer with a miner is a common tactic among MaaS affiliates because it maximizes revenue per infection with minimal extra effort, since both payloads can be dropped by the same loader.

Practical Takeaway for Members

Regardless of the specific campaign's verified details, the delivery vector described (cracked software via malvertising) is a well-established and persistent threat. Members should treat any "cracked" software download as high risk, verify files via VirusTotal before execution, and avoid disabling antivirus/Defender to run such installers, since that step is frequently required by these loaders to succeed.

If anyone has independently observed matching indicators (hashes, C2 domains) from a source other than the linked article, sharing those in this thread would help the community validate the claims.