In a concerning development within the realm of cyber threats, a new campaign has emerged, targeting consumers as well as small and medium-sized businesses across the globe. This malicious initiative aims to both steal sensitive cryptocurrency-related data and facilitate the mining of Monero—a cryptocurrency renowned for its emphasis on private and untraceable transactions.
The first signs of this cyber-attack were identified in April 2026 by Unit 42, the esteemed research division of cybersecurity powerhouse Palo Alto Networks. Their investigations revealed that attackers are employing deceptive tactics to lure victims to malicious advertising (malvertising) that leads them to download files masquerading as cracked versions of legitimate software. Notably, one of the spoofed services mentioned is JustWatch GmbH, a legitimate German streaming guide, alongside a fabricated certificate imitating that of BleacherReport.com.
Despite the attackers’ attempts to exploit the JustWatch brand, the platform itself remains uncompromised, as highlighted in a report released by Unit 42 on July 7. Rather intriguing is the methodology employed in the delivery of these harmful files; they are packaged in password-protected archives with .bin file extensions. This strategic choice is aimed at circumventing email gateway scanning processes and thwarting automatic detection systems, as security solutions are often unable to analyze the contents without the necessary password.
Moreover, the attackers have integrated sophisticated anti-analysis techniques. They employ process enumeration, which assists in identifying running processes on the victim’s computer. In tandem, they have implemented an Anti-Malware Scan Interface (AMSI) bypass, effectively patching the AmsiScanBuffer function to elude recognition from specific types of security software. Such tactics illustrate the increasing sophistication and resourcefulness of cybercriminals in evading detection.
Once the malicious loader is initiated, it subsequently deploys and executes both the Vidar infostealer and the XMRig cryptocurrency miner. The Vidar infostealer is particularly notorious for siphoning sensitive information from the victim’s environment, capturing browser credentials, cookies, and cryptocurrency wallet data. As this data is extracted, the XMRig miner utilizes the victim’s computer processing power to solve intricate mathematical problems, which in turn verifies network transactions and fortifies the blockchain. This computational effort is rewarded through the generation of newly minted Monero coins.
Unit 42 researchers elucidated that the campaign operates on a dual-monetization scheme. They explained that the operators benefit financially in two ways: Firstly, credentials and session cookies stolen by the Vidar infostealer are sold on illicit market forums, while secondly, the XMRig produces passive income through the commandeered CPU cycles of uninformed victims. This dual approach underscores the significant profitability potential for cybercriminals engaged in such schemes.
Through their analysis, the researchers discovered a total of 99 samples of the malicious loader, all sharing characteristics that indicate the usage of the Factory-v3 framework. This framework is a well-established malware-as-a-service (MaaS) builder that is employed for various families of stealer malware, suggesting that the attackers are utilizing a sophisticated infrastructure.
Additionally, Unit 42 identified the use of Telegram for command-and-control (C2) communications by the attackers. Within the data, they noted the appearance of the tag ‘X3D MINER’ in Telegram notifications each time a new victim was infected. This behavior links the campaign to a previously recognized threat group believed to have engaged in the delivery of XMRig and linked it with other deceptive programs.
Overall, this new cyber-attack exemplifies the evolving landscape of cyber threats, especially in relation to cryptocurrencies. As businesses and consumers navigate this treacherous environment, the need for heightened awareness and enhanced cybersecurity measures becomes increasingly pressing. It serves as a stark reminder that individuals and organizations must remain vigilant and proactive in their defenses against such sophisticated and multifaceted cyber-attacks.
