A new cyber-attack targets consumers and small and medium businesses worldwide to both steal sensitive cryptocurrency data and mine Monero, a decentralized cryptocurrency focused on private, untraceable transactions.
The malicious campaign was first detected by Unit 42, the research arm of cybersecurity giant Palo Alto Networks, in April 2026.
Attackers first lure victims via malvertising to pages for downloading files that impersonate cracked versions of copyright-protected software including JustWatch GmbH, a legitimate German streaming guide service, and one that resembles the BleacherReport[.]com certificate.
JustWatch itself has not been compromised, noted the researchers in a report published on July 7.
These files are delivered via password-protected archives with a .bin extension in the filenames, a technique described by Unit 42 as a deliberate choice to bypass email gateway scanning and prevent automated sandbox detonation without the password.
The attackers also employed anti-analysis techniques such as process enumeration and an AMSI bypass where the AmsiScanBuffer function is patched to prevent detection by some types of security software.
The loader then drops and runs both the Vidar infostealer and the XMRig cryptocurrency miner.
Vidar siphons sensitive information from the victim’s environment, like browser credentials, cookies and crypto wallets. Meanwhile, XMRig mines Monero, utilizing the victim computer’s processor to solve complex mathematical problems to verify network transactions and secure the blockchain, an action rewarded with freshly minted Monero coins.
“The operator behind this campaign runs a dual-monetization scheme. Criminals sell credentials and session cookies stolen by Vidar stealer on criminal log markets, while XMRig provides passive income from hijacked victim CPU cycles,” explained the Unit 42 researchers.
Unit 42 found 99 samples of the loader, all showing evidence that the attackers used the Factory-v3 framework, a well-known malware-as-a-service (MaaS) builder used for different families of stealer malware.
This builder is assessed to be a separate upstream service used by at least two distinct known infostealer affiliates.
The researchers also discovered the attackers used Telegram for command-and-control (C2) communication. The tag ‘X3D MINER’ appeared in Telegram operator notifications sent for every new victim infection, a behavior that has been associated to a known threat group previously observed delivering XMRig and binding XMRig with other programs.


