ctipilot.ch

Factory-v3

tool · tool:factory-v3-loader-builder single-source

Malware-as-a-service Go loader-builder documented by Palo Alto Unit 42 (2026-07-07) delivering Vidar stealer and XMRig via fraudulent Authenticode code-signing, fake MpClient.dll DLL-sideloading against Defender, in-memory AMSI patching and 'file inflation' (null-padding to ~491 MB) sandbox evasion; operator tracked via a Telegram channel branded 'X3D MINER'.

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-08Unit 42: Factory-v3 loader-builder abuses fraudulent code-signing and 491 MB file inflation to smuggle Vidar and XMRig past sandboxes
    active-threatsUnit 42: Factory-v3 loaders use fake Authenticode signing and 491 MB file inflation to evade sandboxes

Where this entity is cited

  • active-threats1

Source distribution

  • unit42.paloaltonetworks.com1 (100%)

Entries about Factory-v3 (1)

2026-07-08 · view entry permalink →

NOTABLE

Unit 42: Factory-v3 loader-builder abuses fraudulent code-signing and 491 MB file inflation to smuggle Vidar and XMRig past sandboxes

Unit 42 documented a financially motivated malvertising campaign, active since April 2026, distributing Vidar stealer and the XMRig cryptominer via loaders built with "Factory-v3", a malware-as-a-service Go loader-builder (Unit 42, 2026-07-07). Victims are lured to password-protected archives masquerading as cracked software; the Go loaders (43 samples, 27 unique build UUIDs — defeating hash-based detection) are signed with fraudulent Authenticode certificates impersonating real companies (JustWatch GmbH, later BleacherReport) (T1553.002), strip PE metadata, and DLL-sideload via a fake MpClient.dll export that hijacks Windows Defender's DLL search order to execute as NisSrv.exe from AppData (T1574.002). Before dropping the payload the loader patches AMSI in memory — resolving AmsiScanBuffer and overwriting its first six bytes to force an E_INVALIDARG return (T1562.001). The standout evasion is "file inflation": appending hundreds of megabytes of null bytes to push loader size to as high as 491 MB, exceeding the 50–100 MB detonation limits of many automated sandboxes. Persistence uses Run keys, scheduled tasks and startup-folder scripts, and each victim is fingerprinted via an 8-character HWID; the operator monitors yield through a Telegram channel branded "X3D MINER". Defender takeaway: with US/EU victim concentration and a builder that regenerates a unique binary per build, signature/hash detection is a dead end here — the durable hooks are the evasion mechanics themselves: file-inflation size/section heuristics, Authenticode signer-vs-product mismatch policy, Defender-binary DLL-sideload anomalies, and in-memory AMSI-patch telemetry.

Loaders in Clusters A and C append hundreds of megabytes of null bytes after the last PE section, pushing the total file size to as high as 491 MB

The builder generates a unique binary per build. For example, we observed 27 unique build UUIDs across 43 samples, defeating hash-based detection

Palo Alto Networks Unit 42 2026-07-07
threat08 Jul 20:35Zsingle-sourceOpen finding ↗