Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation

A recent campaign identified by researchers has been observed distributing the Vidar information stealer and the XMRig cryptocurrency miner. The operation, which saw a significant spike in activity in April 2026, primarily targets consumers and small to medium-sized businesses in the U.S. and European Union. Attackers lure victims through malvertising, directing them to download fake cracked versions of copyrighted software. These downloads are delivered as password-protected archives, designed to bypass initial security scans. Upon execution, a loader binary drops and runs both the Vidar stealer, which aims to steal credentials and cryptocurrency wallets, and XMRig, used for mining Monero. The campaign is believed to be operated by an affiliate of the Vidar stealer malware-as-a-service (MaaS) ecosystem.
The initial access vector involves malvertising, specifically targeting individuals searching for pirated software. The filenames used mimic legitimate cracked software installers. The loader binaries, often disguised as legitimate files, are signed with a fabricated Authenticode certificate impersonating "justwatch[.]com." While this signature is not trusted by Windows, it can deceive unsuspecting users. Analysis indicates these loaders are built using the Factory-v3 framework, also known as UpdateFactory, which is used to generate unique binaries for different stealer malware families, thus evading hash-based detection.

Several anti-forensic and anti-analysis techniques are employed. The loader binaries have their PE TimeDateStamp zeroed out, lack PE version information, and reduce DLL imports to only kernel32.dll. Additionally, user-defined type names are obfuscated. The use of the same builder, toolchain, and certificate infrastructure suggests that Factory-v3 is offered as a service to multiple stealer affiliates, as evidenced by a concurrent Lumma stealer campaign using similar components.
The fabricated Authenticode certificate, while not chained to a trusted root, uses a recognizable brand name to potentially trick users. The 43 loader samples identified fall into four clusters, including x64 EXEs, x64 DLLs designed to mimic Windows Defender components for DLL search-order hijacking, and x86 EXEs. Some of these loaders also exhibit file-size inflation, appending hundreds of megabytes of null bytes to exceed typical sandbox file-size limits and evade automated analysis.
Further evasion techniques include an in-memory Antimalware Scan Interface (AMSI) bypass. The malware patches the AmsiScanBuffer function in amsi.dll to return an error, effectively disabling AMSI for subsequent code execution. Data blobs, including Telegram bot tokens and mining pool details, are obfuscated using a rotating XOR cipher. The attack chain concludes with the Vidar stealer exfiltrating data to a command-and-control server and XMRig mining Monero. The threat actor is notified of new infections and data exfiltration via Telegram messages.





