Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation


In April 2026, Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small- and medium-sized business victims worldwide.

Attackers lure victims via malvertising to pages for downloading files that impersonate cracked versions of copyright-protected software. Upon execution, the loader drops and runs both Vidar stealer and XMRig. Vidar stealer targets information like browser credentials, cookies and crypto wallets. XMRig mines Monero cryptocurrency.

Read more…
Source:  Palo Alto Unit 42


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Informant told FBI that Jeffrey Epstein had a ‘personal hacker’

    January 30, 2026

    A confidential informant told the FBI in 2017 that Jeffrey Epstein had a “personal hacker,” according to a document released by the Department of Justice on Friday. The document, which was released as part of the Justice Department’s legally required effort to publish documents related to its investigation into the late sex offender, does not identify ...

  • North Korean Labyrinth Chollima is morphing into three separate entities

    January 30, 2026

    One of the largest and most successful North Korean state-sponsored threat actors has split into three separate entities, each with their own tactics, malware tools, targets, and goals, experts have warned. In a recent in-depth analysis, researchers from CrowdStrike expalined the move is a strategic evolution to make Labyrinth Chollima cyberattacks more efficient, and that the ...

  • Match, Hinge, OkCupid, and Panera Bread breached by ransomware group

    January 30, 2026

    The ShinyHunters ransomware group has claimed the theft of data containing 10 million records belonging to the Match Group and 14 million records from bakery-café chain Panera Bread. The Match Group, that runs multiple popular online dating services like Tinder, Match.com, Meetic, OkCupid, and Hinge has confirmed a cyber incident and is investigating the data breach. ...

  • Marquis confirms data breach, point finger of blame at SonicWall firewall

    January 30, 2026

    Marquis, a US fintech company building software for banks and credit unions, has confirmed suffering a ransomware attack and losing sensitive customer data, but shifted the blame onto its firewall provider, SonicWall. In mid-September 2025, SonicWall warned its firewall customers to reset their passwords after unnamed threat actors brute-forced their way into the company’s MySonicWall ...

  • Ivanti patched two critical zero-day vulnerabilities in EPMM

    January 30, 2026

    Ivanti has patched two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product that are already being exploited, continuing a grim run of January security incidents for enterprise IT vendors. In January 2025, tens of thousands were urged to patch a Fortinet zero-day, while Ivanti customers were doing the same. There has been little change ...

  • Supply chain attack on eScan antivirus: detecting and remediating malicious updates

    January 29, 2026

    On January 20, a supply chain attack has occurred, with the infected software being the eScan antivirus developed by an Indian company MicroWorld Technologies. The previously unknown malware was distributed through the eScan update server. The same day, our security solutions detected and prevented cyberattacks involving this malware. On January 21, having been informed by Morphisec, ...