2026-07-08 · view entry permalink →
Unit 42: Factory-v3 loader-builder abuses fraudulent code-signing and 491 MB file inflation to smuggle Vidar and XMRig past sandboxes
Unit 42 documented a financially motivated malvertising campaign, active since April 2026, distributing Vidar stealer and the XMRig cryptominer via loaders built with "Factory-v3", a malware-as-a-service Go loader-builder (Unit 42, 2026-07-07). Victims are lured to password-protected archives masquerading as cracked software; the Go loaders (43 samples, 27 unique build UUIDs — defeating hash-based detection) are signed with fraudulent Authenticode certificates impersonating real companies (JustWatch GmbH, later BleacherReport) (T1553.002), strip PE metadata, and DLL-sideload via a fake MpClient.dll export that hijacks Windows Defender's DLL search order to execute as NisSrv.exe from AppData (T1574.002). Before dropping the payload the loader patches AMSI in memory — resolving AmsiScanBuffer and overwriting its first six bytes to force an E_INVALIDARG return (T1562.001). The standout evasion is "file inflation": appending hundreds of megabytes of null bytes to push loader size to as high as 491 MB, exceeding the 50–100 MB detonation limits of many automated sandboxes. Persistence uses Run keys, scheduled tasks and startup-folder scripts, and each victim is fingerprinted via an 8-character HWID; the operator monitors yield through a Telegram channel branded "X3D MINER". Defender takeaway: with US/EU victim concentration and a builder that regenerates a unique binary per build, signature/hash detection is a dead end here — the durable hooks are the evasion mechanics themselves: file-inflation size/section heuristics, Authenticode signer-vs-product mismatch policy, Defender-binary DLL-sideload anomalies, and in-memory AMSI-patch telemetry.
Loaders in Clusters A and C append hundreds of megabytes of null bytes after the last PE section, pushing the total file size to as high as 491 MB
The builder generates a unique binary per build. For example, we observed 27 unique build UUIDs across 43 samples, defeating hash-based detection