
A Vidar stealer campaign was uncovered in April 2026, distributing data‑stealing and cryptocurrency‑mining malware to consumers and small‑to‑medium businesses across the United States and Europe, according to research published by securityonline.info. The attackers use malvertising to lure victims seeking cracked software, delivering a Factory‑v3 loader that drops both the Vidar infostealer and the XMRig Monero miner.
Technical analysis from Palo Alto Networks Unit 42 shows the campaign relies on oversized files, fake digital certificates and password‑protected archives to bypass traditional defences (Unit 42 report). Vidar harvests credentials, browser data and cryptocurrency wallets while XMRig hijacks CPU cycles to mine Monero for the attackers.
Infection chains begin with malicious advertisements that redirect users to hostile sites hosting the poisoned payloads (Dark Reading). The malware employs anti‑analysis tactics such as altering system buffers and inflating file size to evade size‑based scanners, and communicates with operator‑controlled servers over Telegram.
Activity was observed between early July and mid‑July 2026, primarily affecting users in the US and EU regions (InfoSecurity Magazine). No specific threat actor has been attributed, but the operation displays a clear financial motive through a dual‑monetisation model that sells stolen data and earns passive income from mining.
The incident highlights how malvertising remains a low‑cost, high‑impact vector for compromising organisations that lack the mature defences of larger enterprises. It also underscores the growing trend of coupling information stealers with cryptominers to maximise profit from a single compromise.
Defenders should enforce strict validation of digital certificates and block downloads from domains with poor reputation or unusual file characteristics. Monitoring for unusually large executables, unexpected CPU spikes and processes that access credential stores or inject into browsers can help detect the presence of Vidar or XMRig activity.
Keeping browsers and plug‑ins up to date, deploying ad‑filtering technologies or secure web gateways to stop malicious ads, and educating users about the dangers of pirated software are essential preventive measures. Endpoint protection solutions should be configured to scan inside password‑protected archives where possible, and security teams should review logs for connections to known Vidar command‑and‑control infrastructure.