A massive Vidar stealer campaign was uncovered in April 2026, distributing data theft and cryptocurrency mining tools primarily targeting consumers and small-to-medium businesses (SMBs) in the U.S. and EU. Attackers deploy oversized files and fake certificates via malvertising, misleading users searching for cracked software. The Factory-v3 loader is instrumental in dropping the Vidar stealer and XMRig miner, which steal sensitive data and hijack processing power.
Key infection strategies involve file size inflation, use of fake certificates to bypass security measures, and altering system buffers to evade detection. Commands and stolen data are exfiltrated to remote servers, and specific defense strategies include enforcing strict validation of digital certificates and monitoring for unusual binary executions.