Listen to this Post

Introduction: A New Era of Double-Impact Cybercrime
Cybercriminals continue to evolve their tactics, combining multiple forms of malware into a single attack to maximize profits while minimizing detection. Instead of relying on a single payload, modern threat actors increasingly deploy sophisticated malware packages capable of stealing sensitive information while simultaneously exploiting victims’ computing resources for cryptocurrency mining. This latest campaign demonstrates how attackers are targeting both consumers and small-to-medium businesses (SMBs) worldwide, using deceptive advertisements and fake software downloads to compromise systems. According to cybersecurity researchers, the operation reflects a growing trend where cybercriminals monetize every infected machine in multiple ways, making each victim significantly more valuable.
Malvertising Campaign Disguises Malware as Popular Software
Researchers from Palo Alto
The attackers rely on malvertising, a technique that uses malicious online advertisements to redirect unsuspecting users toward fake download websites. These websites impersonate legitimate software distribution platforms and advertise cracked versions of copyrighted applications that many users search for online.
Among the fake websites observed were pages mimicking services associated with JustWatch GmbH, the legitimate German streaming guide platform, alongside another site designed to resemble certificates associated with BleacherReport.com.
Importantly, researchers emphasized that JustWatch itself has not been compromised. Instead, attackers simply copied elements of its branding to increase user trust and encourage downloads.
This social engineering tactic remains highly effective because users searching for free or cracked software are often less cautious, making them ideal targets for malware distribution.
Password-Protected Archives Help Malware Evade Security Detection
Unlike traditional malware downloads, the attackers package their payloads inside password-protected archives whose filenames end with the .bin extension.
Although the files appear unusual, this approach serves several important purposes.
Because the archive is encrypted with a password, many email security gateways and automated malware scanning systems cannot inspect its contents before delivery. Automated sandbox environments also struggle to execute the malware because they lack the password needed to unpack the archive.
This allows the malicious files to bypass many conventional security defenses before reaching the victim’s computer.
It represents another example of cybercriminals abusing legitimate compression features to defeat automated detection technologies.
Advanced Anti-Analysis Techniques Hide the Malware
After execution, the malware begins by determining whether it is running inside a virtual machine, sandbox, or security research environment.
Researchers observed several anti-analysis techniques, including process enumeration designed to detect monitoring tools.
The malware also patches
This well-known AMSI bypass prevents certain security products from inspecting malicious scripts and commands executed in memory, allowing later payloads to operate with significantly reduced visibility.
These defensive evasion techniques indicate that the malware authors possess considerable technical expertise.
Two Dangerous Payloads Delivered Together
Once the loader completes its preparation, it deploys two separate malware families simultaneously.
The first is Vidar, one of
Vidar searches infected systems for:
Browser passwords
Saved login credentials
Session cookies
Cryptocurrency wallet information
Autofill data
Browser history
Various authentication tokens
Stolen credentials are later sold on underground criminal marketplaces, where they may be used for account takeovers, ransomware attacks, identity theft, or financial fraud.
Alongside Vidar, victims also receive XMRig, one of the world’s most widely abused open-source cryptocurrency mining programs.
Rather than stealing information directly, XMRig silently consumes the victim’s processor resources to mine Monero, a privacy-focused cryptocurrency whose anonymous design makes it especially attractive to cybercriminals.
Victims often notice their computers becoming unusually slow, overheating, or running continuously at high CPU usage without realizing cryptocurrency mining is occurring in the background.
A Dual Monetization Strategy Maximizes Criminal Revenue
According to Unit 42 researchers, this campaign is especially profitable because attackers generate income from two independent criminal activities at the same time.
First, Vidar steals credentials, browser cookies, and cryptocurrency wallet information that can be sold individually on underground marketplaces.
Second, XMRig continuously mines Monero using infected computers, generating passive cryptocurrency income for the operators around the clock.
This dual-revenue approach dramatically increases the lifetime value of every infected device.
Instead of relying solely on stolen credentials, attackers continue earning money as long as the victim remains infected.
This reflects a growing trend in cybercrime where malware increasingly serves multiple financial objectives simultaneously.
Factory-v3 Malware Builder Simplifies Large-Scale Attacks
Unit 42 identified 99 different malware loader samples, all showing characteristics associated with the Factory-v3 malware framework.
Factory-v3 is a well-known Malware-as-a-Service (MaaS) builder that enables criminals to generate customized malware loaders with minimal programming knowledge.
Rather than writing malware from scratch, cybercriminals can purchase or rent access to these builders, dramatically lowering the barrier to entry for launching sophisticated attacks.
Researchers believe Factory-v3 functions as an upstream service used by multiple infostealer affiliates, meaning numerous criminal groups may already be using similar infrastructure.
This explains why security researchers continue seeing variations of similar malware campaigns across different industries and countries.
Telegram Serves as the
The investigation also uncovered the
Every successful infection generated an automated Telegram notification labeled “X3D MINER.”
Such notifications allow operators to monitor infections in real time while managing compromised devices remotely.
Researchers noted that similar Telegram behaviors have previously been associated with threat actors known for combining XMRig cryptocurrency mining with additional malware payloads.
The use of popular messaging platforms for malware management continues growing because encrypted communication channels are inexpensive, accessible worldwide, and blend into normal internet traffic.
Deep Analysis
Command 1: Multi-Layered Monetization Is Becoming the Cybercrime Standard
Modern cybercriminal organizations increasingly operate like legitimate businesses. Rather than depending on one income stream, they diversify revenue through credential theft, cryptocurrency mining, ransomware, access sales, and data brokerage. This campaign perfectly illustrates that evolution.
Command 2: Cracked Software Remains One of the Largest Infection Sources
The attackers deliberately targeted users searching for pirated applications because those users are already willing to bypass normal security warnings. Years of security awareness campaigns have reduced infections from email attachments, but cracked software continues to offer criminals an effective delivery method.
Command 3: Malware-as-a-Service Continues Lowering the Barrier to Entry
Frameworks such as Factory-v3 mean that sophisticated malware development is no longer limited to experienced programmers. Criminals can simply purchase ready-made builders, customize payloads, and launch global campaigns with minimal technical expertise.
Command 4: Telegram Is Becoming a Popular Criminal Infrastructure
Threat actors increasingly rely on Telegram because it provides encrypted communications, automation through bots, and global accessibility. Security teams should monitor unexpected Telegram traffic, especially in enterprise environments where such communication may be unnecessary.
Command 5: Information Stealers Are More Dangerous Than Ever
Many victims underestimate information stealers because they do not encrypt files like ransomware. However, stolen browser sessions, authentication cookies, and cryptocurrency wallets can cause devastating financial losses and provide attackers with access to cloud services without needing passwords.
Command 6: Cryptocurrency Mining Malware Is Quiet but Costly
While cryptominers rarely attract immediate attention, they significantly degrade hardware performance, increase electricity costs, shorten component lifespan, and consume valuable computing resources. Businesses may experience productivity losses long before discovering the infection.
Command 7: Defense Requires Multiple Security Layers
Traditional antivirus solutions alone are no longer sufficient. Organizations need behavioral detection, endpoint monitoring, browser protection, user education, and threat intelligence to identify sophisticated campaigns before serious damage occurs.
Command 8: Future Campaigns Will Likely Become Even More Modular
The modular design observed in this campaign suggests future malware may dynamically download additional payloads based on the victim’s environment, allowing criminals to customize attacks for maximum profitability.
What Undercode Say:
This campaign highlights how cybercrime has become a mature underground economy rather than isolated hacking incidents. Attackers are carefully engineering every stage of the infection process to maximize financial returns while minimizing operational risk.
The use of fake software downloads demonstrates that social engineering remains one of the most powerful attack techniques available. Technical defenses can be bypassed if users willingly execute malicious files.
The combination of Vidar and XMRig is particularly effective because it generates both immediate and long-term revenue. Credentials can be sold almost instantly, while cryptocurrency mining continues producing income for weeks or months until the malware is removed.
The use of encrypted archives shows attackers fully understand how enterprise security products work. By hiding malware inside password-protected files, they significantly reduce the effectiveness of automated scanning technologies.
Factory-v3 also illustrates the industrialization of cybercrime. Malware creation has become a commercial service, allowing even relatively inexperienced criminals to deploy sophisticated malware campaigns.
Telegram’s role as command-and-control infrastructure is another reminder that legitimate communication platforms increasingly serve malicious purposes. Security teams should focus on behavioral anomalies instead of simply blocking known malware domains.
Small and medium businesses remain especially vulnerable because they often lack dedicated cybersecurity staff, advanced endpoint detection, and continuous threat monitoring.
Consumers are equally exposed, particularly those downloading cracked software or disabling antivirus protection to install unauthorized applications.
As cryptocurrency adoption expands globally, attacks targeting digital wallets will almost certainly increase. Every browser extension, password manager, and wallet application represents a potential target.
Organizations should adopt zero-trust principles, implement multi-factor authentication, monitor unusual CPU utilization, regularly patch systems, and educate employees about software piracy risks.
Ultimately, this campaign demonstrates that
✅ Confirmed: Unit 42 researchers publicly documented the malware campaign, including the combined deployment of Vidar and XMRig, the use of password-protected archives, and the Factory-v3 malware builder.
✅ Confirmed: Researchers stated that JustWatch was impersonated but was not compromised, meaning its legitimate infrastructure was not responsible for distributing malware.
✅ Supported: The
Prediction
(+1) Cybersecurity vendors will improve behavioral detection capabilities for encrypted malware delivery, AMSI bypass attempts, and dual-payload infections, making future campaigns easier to detect.
(-1) Cybercriminals are likely to expand this business model by combining credential theft, cryptomining, ransomware deployment, and AI-assisted phishing into a single modular malware platform, increasing both the scale and financial impact of future attacks.
▶️ Related Video (78% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




