Listen to this Post

Introduction:
The cybersecurity landscape witnessed a significant shift in April 2026 when Palo Alto Networks Unit 42 uncovered a financially motivated campaign that delivers both the Vidar information stealer and the XMRig cryptocurrency miner through a newly documented evasion framework. What makes this campaign particularly alarming is its use of a custom Go-based loader that inflates file sizes up to an unprecedented 491 MB, paired with rogue DLL sideloading mechanisms to successfully evade both sandbox environments and signature-based detection. This combination of evasion layers in a single framework, powered by the Factory-v3 malware-as-a-service (MaaS) builder, represents a significant evolution in affiliate-led distribution methods that now targets consumers and small-to-medium businesses worldwide.
Learning Objectives:
- Understand the technical mechanics of the Go-based loader and its file inflation techniques
- Learn how attackers abuse code-signing certificates and AMSI bypasses to evade detection
- Master detection and mitigation strategies, including IOCs, registry monitoring, and endpoint hardening
- Malvertising and Initial Access: The Fake Software Trap
The campaign begins with a sophisticated malvertising operation targeting victims searching for cracked or pirated versions of popular copyright-protected software. Attackers lure victims through malicious advertisements to convincing download pages that impersonate legitimate software distributors. The filenames used in this campaign mimic cracked versions of popular programs as well as generic installers, making them appear trustworthy to unsuspecting users.
The malware is delivered in password-protected archives with a `.bin` extension in the filenames. This is a deliberate technique to bypass email gateway scanning and prevent automated sandbox detonation without the password. Upon extraction and execution, the loader binary is signed with a forged certificate (subject CN=justwatch[.]com), creating a false sense of legitimacy. The attackers also embedded certificates impersonating BleacherReport, though neither company was actually compromised.
Step-by-step infection chain:
- Victim searches for cracked software via search engines
2. Malicious ad redirects to fake download page
3. Victim downloads password-protected `.bin` archive
- Archive extracted using password provided on download page
5. Loader binary executed (signed with fake certificate)
- Go-based loader deploys both Vidar stealer and XMRig miner
Windows Event Log Monitoring Command:
Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4688 -and $</em>.Message -match "Setup.exe|MicrosoftUpdate.exe|MicrosoftEdgeUpdate.exe" } | Format-List
2. Factory-v3 Framework: Unique Binaries Defeating Hash-Based Detection
All 43 initial loader samples discovered by Unit 42 contain embedded Go build metadata identifying the Factory-v3 framework. The builder’s internal name, “UpdateFactor,” is revealed in the programming database (PDB) strings: C:\Users\Administrator\Desktop\UpdateFactory\compiler\1.25.9\go\src\runtime\cgo.
The Factory-v3 builder generates a unique binary per build—researchers observed 27 unique build UUIDs across 43 samples, effectively defeating hash-based detection. The builder uses Go version 1.25.9, a custom pre-release of tools for the Go programming language. Anti-forensic measures are consistent across all samples:
– The PE TimeDateStamp is zeroed
– No PE version info is present
– DLL files lack proper metadata
Go Build Metadata Extraction (Linux/macOS):
Extract Go build information from ELF binaries readelf -p .go.buildinfo /path/to/suspicious_binary Alternative: Use strings to find Go version strings /path/to/suspicious_binary | grep -E "go[0-9]+.[0-9]+.[0-9]+"
Windows PowerShell Detection for Factory-v3 Artifacts:
Search for PDB paths indicating Factory-v3 Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "UpdateFactory|Factory-v3" | Format-List Check PE metadata for zeroed timestamps Get-AuthenticodeSignature -FilePath "C:\suspicious\loader.exe" | Format-List
3. File Inflation: The 491 MB Evasion Tactic
One of the most sophisticated evasion techniques observed in this campaign is file size inflation through the addition of null bytes. Several loader files exceeded 490 MB despite containing only approximately 2.3 MB of actual malicious code. This technique is specifically designed to bypass automated sandbox analysis, as many sandbox environments have file size limitations or timeouts that prevent analysis of extremely large files.
The inflation works by appending massive amounts of null bytes (0x00) to the end of the legitimate loader executable. When executed, the loader reads only the actual code section, ignoring the padded null bytes. However, when submitted to automated analysis platforms, the file exceeds size thresholds, causing the analysis to either fail or timeout before malicious behavior can be observed.
Detection Command (Linux):
Identify unusually large PE/ELF files in suspicious directories
find /path/to/scan -type f -size +100M -exec file {} \; | grep -E "PE32|ELF"
Check for files with large null byte padding
xxd /path/to/suspicious_file | tail -20
Windows PowerShell Detection:
Find executables over 100MB in suspicious locations
Get-ChildItem -Path C:\Users\Downloads, C:\Temp -Recurse -ErrorAction SilentlyContinue | Where-Object { $<em>.Length -gt 100MB -and ($</em>.Extension -match ".exe$|.dll$") } | Select-Object FullName, Length
Check for null byte padding (requires analyzing file headers)
Format-Hex -Path "C:\suspicious\large_loader.exe" -Count 256
4. AMSI Bypass and Process Enumeration
The malware employs advanced anti-analysis techniques, including an AMSI (Antimalware Scan Interface) bypass where the `AmsiScanBuffer` function is patched in memory to prevent detection by security software. This manipulation is achieved through an in-memory overwrite of critical functions, enabling the deployment of malicious payloads undetected.
Additionally, the loader performs process enumeration to detect analysis environments, checking for sandbox-related processes, debuggers, and virtual machine artifacts. If an analysis environment is detected, the malware may terminate execution or exhibit benign behavior to avoid detection.
AMSI Bypass Detection (PowerShell):
Monitor AMSI-related event IDs (if AMSI logging is enabled)
Get-WinEvent -LogName "Microsoft-Windows-Antimalware/Operational" | Where-Object { $<em>.Id -eq 1116 -or $</em>.Id -eq 1117 } | Select-Object TimeCreated, Message
Check for AmsiScanBuffer patching attempts in process memory (requires advanced tools)
Use Process Monitor to filter for writes to amsi.dll
Linux Process Enumeration Detection:
Monitor for suspicious process enumeration commands auditctl -a always,exit -S execve -k process_enum Check audit logs for enumeration of system info ausearch -k process_enum | grep -E "uname|lsmod|ps aux|cat /proc"
5. Rogue DLL Sideloading and Persistence Mechanisms
The campaign pairs the Go-based loader with a rogue DLL sideloading mechanism. DLL sideloading exploits the Windows DLL search order by placing a malicious DLL in the same directory as a legitimate executable, causing the legitimate application to load the malicious DLL instead of the intended one. This technique allows the malware to execute with the privileges of the legitimate application, often bypassing application whitelisting and other security controls.
Persistence is established through multiple mechanisms:
- Registry Run keys modifications
- Scheduled tasks creation
- Startup folder scripts
Common Persistence Locations:
Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Scheduled Tasks: C:\Windows\System32\Tasks\ Startup Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Detection Commands (Windows):
Check registry run keys for suspicious entries
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object
List scheduled tasks created in the last 7 days
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, State, Date
Monitor startup folder for new files
Get-ChildItem -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" | Select-Object Name, LastWriteTime
DLL Sideloading Detection:
Monitor for DLL loads from unusual locations (requires Sysmon)
Look for Event ID 7 (Image loaded) with ImageLoaded paths in suspicious directories
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=7} | Where-Object { $_.Message -match "Temp|Downloads|AppData" } | Format-List
6. Command-and-Control and Indicators of Compromise
The attackers use Telegram for command-and-control (C2) communication. The tag ‘X3D MINER’ appears in Telegram operator notifications sent for every new victim infection, a behavior previously associated with a known threat group delivering XMRig. The operator behind this campaign runs a dual-monetization scheme: criminals sell credentials and session cookies stolen by Vidar stealer on criminal log markets, while XMRig provides passive income from hijacked victim CPU cycles.
Identified C2 Server IPs:
– `116.203.243[.]208`
– `136.243.203[.]109`
– `136.243.203[.]111`
– `138.199.246[.]13`
Malware File Paths:
– `%TEMP%\MicrosoftUpdate.exe` (Vidar stealer)
– `%AppData%\Roaming\Microsoft\Windows\Temp\MicrosoftEdgeUpdate.exe` (XMRig launcher)
– `%AppData%\Roaming\Microsoft\Windows\Temp\NisSrv.exe` (Persistence copy)
Rogue Certificate Information:
- Subject: `CN=justwatch[.]com`
– Issuer: `CN=WR3` (rogue self-signed CA)
Network Blocking Commands (Windows Firewall):
Block known C2 IPs New-1etFirewallRule -DisplayName "Block Vidar C2 - 116.203.243.208" -Direction Outbound -RemoteAddress "116.203.243.208" -Action Block New-1etFirewallRule -DisplayName "Block Vidar C2 - 136.243.203.109" -Direction Outbound -RemoteAddress "136.243.203.109" -Action Block New-1etFirewallRule -DisplayName "Block Vidar C2 - 136.243.203.111" -Direction Outbound -RemoteAddress "136.243.203.111" -Action Block New-1etFirewallRule -DisplayName "Block Vidar C2 - 138.199.246.13" -Direction Outbound -RemoteAddress "138.199.246.13" -Action Block
Linux IPtables Blocking:
iptables -A OUTPUT -d 116.203.243.208 -j DROP iptables -A OUTPUT -d 136.243.203.109 -j DROP iptables -A OUTPUT -d 136.243.203.111 -j DROP iptables -A OUTPUT -d 138.199.246.13 -j DROP
7. Detection and Mitigation Strategies
Organizations must adopt a layered defense approach to protect against this evolving threat.
Endpoint Protection Configuration:
- Configure security tools to inspect large files (over 100 MB) rather than skipping them
- Validate code-signing certificates—reject executables with untrusted or self-signed certificates
- Monitor for suspicious persistence techniques such as Registry Run keys and scheduled tasks
Network Controls:
- Block or restrict downloads of unauthorized and cracked software through web filtering
- Implement acceptable-use policies prohibiting installation of pirated software
- Monitor outbound connections to known C2 infrastructure
Advanced Detection (YARA Rule Snippet):
rule Vidar_XMRig_Go_Loader {
meta:
description = "Detects Vidar stealer and XMRig miner Go-based loader"
author = "Security Team"
date = "2026-07-10"
strings:
$go_build = "go1.25.9" ascii
$factory = "UpdateFactory" ascii
$pdb_path = "UpdateFactory\compiler" ascii
$justwatch = "justwatch.com" ascii
$x3d = "X3D MINER" ascii
condition:
uint16(0) == 0x5A4D and ($go_build or $factory or $pdb_path or $justwatch or $x3d)
}
What Undercode Say:
- Key Takeaway 1: The combination of file inflation (up to 491 MB) with Go-based loaders and Factory-v3’s unique binary generation represents a significant evolution in evasion techniques that effectively defeats traditional signature-based and sandbox-based detection.
-
Key Takeaway 2: The dual-monetization model—credential theft via Vidar combined with cryptojacking via XMRig—maximizes attacker profit per compromised endpoint and demonstrates how modern cybercrime operations have evolved beyond single-purpose malware.
Analysis:
This campaign represents a paradigm shift in how financially motivated threat actors operate. By combining multiple evasion techniques—file inflation, rogue code-signing, AMSI bypass, DLL sideloading, and MaaS-generated unique binaries—the attackers have created a highly resilient infection chain that challenges traditional security controls. The use of the Factory-v3 framework suggests a mature malware-as-a-service ecosystem where affiliates can easily deploy sophisticated campaigns without developing their own tools. The targeting of consumers and SMBs through cracked software downloads is particularly concerning, as these victims often lack the security resources to detect or respond to such advanced threats. Organizations must recognize that traditional security measures are no longer sufficient—layered detection, continuous monitoring, and user education are essential to defend against this evolving threat landscape.
Prediction:
- +1 The increased visibility of this campaign through Unit 42’s research will drive rapid development of detection signatures and defensive countermeasures, potentially forcing threat actors to evolve their techniques or abandon this specific campaign.
-
-1 The success of the Factory-v3 framework and dual-monetization model will likely inspire copycat campaigns and increased adoption of similar evasion techniques by other MaaS affiliates, expanding the threat landscape.
-
-1 As threat actors refine file inflation and AMSI bypass techniques, traditional endpoint protection solutions will become increasingly ineffective, necessitating significant investments in next-generation detection and response capabilities.
-
+1 The exposure of C2 infrastructure and IOCs will enable organizations to proactively block and hunt for this specific threat, potentially disrupting the operators’ revenue streams in the short term.
-
-1 The use of Telegram for C2 communication highlights the growing trend of threat actors leveraging legitimate services for malicious purposes, making takedown efforts more challenging for law enforcement and security researchers.
▶️ Related Video (72% Match):
https://www.youtube.com/watch?v=1y9Donp3_M4
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: We Uncovered – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


