Cybercriminals Employ Dual-Monetization Tactics to Steal Data and Mine Cryptocurrency
Recent research from Unit 42, the threat intelligence division of Palo Alto Networks, has revealed concerning new tactics employed by cybercriminals. This dual-monetization scheme, identified in an investigation published on July 7, highlights the attackers’ strategy of simultaneously stealing sensitive consumer data and using victim computers to mine cryptocurrency. The campaign, which first came to light in April 2026, primarily targets consumers and small to medium-sized businesses worldwide through malicious advertisements. These ads promote deceptive cracked software downloads, a tactic that has increasingly drawn the attention of cybersecurity researchers.
The nature of the malicious campaign is particularly insidious. Victims are tricked into downloading files that deceptively mimic legitimate services. Notably, these files impersonate well-known platforms, including JustWatch GmbH—an established German streaming guide service—and pages that counterfeit BleacherReport certificates. Importantly, researchers have clarified that JustWatch itself has not been compromised in this scheme. Instead, the attackers utilize these recognizable brands to gain the trust of unsuspecting users.
The malicious files infiltrate victim systems in the form of password-protected archives with .bin file extensions. This method serves a specific purpose: to evade detection by email security gateways and prevent automated systems from analyzing the files without needing the password. By strategic design, this approach facilitates the successful deployment of the malicious payload.
Upon execution, the loader initiates a series of sophisticated anti-analysis techniques that complicate the detection efforts of cybersecurity software. Notably, the loader employs process enumeration and includes an AMSI (Antimalware Scan Interface) bypass. This tactic involves patching the AmsiScanBuffer function to circumvent certain security measures, ultimately allowing the malware to operate with greater stealth.
Once the loader has infiltrated the system, it deploys two significant components of malware: the Vidar infostealer and the XMRig cryptocurrency miner. The Vidar infostealer is particularly notorious for its ability to extract a wealth of data from affected systems, including browser credentials, cookies, and even cryptocurrency wallet information. Meanwhile, the XMRig component exploits the victim’s CPU resources to mine Monero, a privacy-oriented cryptocurrency. This occurs by solving complex mathematical problems required to verify blockchain transactions, repurposing the victim’s computing power for the attackers’ financial gain.
Through their analysis, the experts at Unit 42 identified 99 distinct samples of the malicious loader. Each specimen exhibited clear indicators of being constructed using Factory-v3, a well-known malware-as-a-service framework used by multiple affiliates operating in the infostealer domain. This affirms the growing trend where illicit actors leverage such frameworks to optimize their malicious activities and streamline their operations.
The attackers have implemented a monetization strategy that capitalizes on both data theft and passive income generation through cryptocurrency mining. Stolen credentials and session cookies are often sold on illicit criminal markets, while the mining operations profit off the unsuspecting users’ hardware. Communications among the operators occur via Telegram, with notifications for each new infection tagged ‘X3D MINER.’ This pattern has been previously linked to established threat groups that actively distribute XMRig.
Given the alarming nature of these findings, cybersecurity experts emphasize the necessity for organizations to take preventive measures. It is crucial for businesses to block access to software piracy websites, which are often breeding grounds for such malicious activities. Implementing robust endpoint detection solutions capable of identifying unusual cryptocurrency mining activity is also recommended. Monitoring unusual CPU usage patterns can help organizations detect potential compromises early.
Furthermore, security teams are advised to ensure that AMSI protections are enabled and kept up to date rigorously. Education for users about the dangers of downloading cracked software from untrusted sources is an essential part of an organization’s security posture. By fostering awareness and implementing comprehensive security measures, businesses can protect themselves against the multifaceted threats posed by these cybercriminals.
In conclusion, as cybercriminals continuously evolve their strategies for data theft and financial exploitation, vigilance and proactive defense mechanisms become indispensable for safeguarding sensitive information and system integrity. The dual-monetization tactics unveiled by Unit 42 serve as a stark reminder of the complexities and risks that organizations must navigate in today’s digital landscape.
