Fake Pirated Software Ads Are Draining Passwords and Hijacking Computers to Mine Crypto

A campaign uncovered by Palo Alto Networks researchers is tricking people into downloading malware disguised as cracked software, stealing saved passwords while quietly running up victims' electricity bills.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • Palo Alto Networks' Unit 42 researchers discovered the campaign in April 2025 and published their findings on 7 July 2025.
  • The malware drops two payloads: Vidar, which steals saved browser passwords and crypto wallet files, and XMRig, which secretly uses the victim's computer to generate Monero cryptocurrency for the criminals.
  • Researchers observed 43 separate malware samples carrying 27 unique internal identifiers, a trick that makes standard antivirus detection unreliable.
  • The campaign primarily targets consumers and small to mid-size businesses in the United States and Europe.
  • Unit 42 published a list of indicators of compromise, meaning specific file signatures and server addresses, that defenders can use to check for infection.

Someone searching for free, unlicensed software clicks an online advert. The ad looks ordinary. It takes them to a page offering what appears to be a cracked installer for paid software. They download a password-protected archive file and enter the password shown on the page.

At that point, two pieces of malware quietly install themselves.

This is the attack Palo Alto Networks' Unit 42 threat researchers Bharath Nannaka and Pranay Kumar Chhaparwal documented earlier this month, first reported by Dark Reading. The campaign uses malvertising, which means criminals pay for real online advertising slots to deliver malicious downloads, to reach victims at scale.

How does the malware actually make money for the criminals?

Two ways, running at the same time.

The first payload is Vidar, an infostealer, meaning software designed to quietly copy data off your device. Vidar pulls saved passwords, browser cookies (the small files that keep you logged into websites), browsing history, autofill data, and cryptocurrency wallet files. Criminals then sell that haul on underground markets.

The second payload is XMRig, an open-source cryptominer. A cryptominer uses your processor, the chip that runs your computer, to solve complex calculations that generate cryptocurrency for whoever controls it. Victims typically notice their computer running slowly or their electricity bill creeping up. The criminals collect Monero, a privacy-focused cryptocurrency, without spending a penny on hardware.

The password on the downloaded archive is deliberate. It stops automated security scanners from opening and inspecting the file before a human does.

The malware loader, the small program that installs both payloads, is built on a framework called Factory-v3 and generates a slightly different version of itself for each victim. Unit 42 found 43 samples carrying 27 distinct internal build identifiers. That variety defeats detection tools that rely on recognising a known file fingerprint.

The loader is also padded with meaningless data to push its file size toward 500 megabytes. Many automated analysis tools skip files above a certain size, and most small businesses never adjust that threshold. It also carries a fake code-signing certificate, a digital stamp that looks like official approval, bearing the name of JustWatch, a legitimate streaming-guide service.

Once installed, the malware adds itself to the Windows Registry's Run keys and creates scheduled tasks so it restarts automatically every time the computer reboots.

What affected users should do. If you or someone at your organisation recently downloaded software from an unofficial source, run a full scan with updated antivirus software. Change passwords for any accounts whose credentials were stored in your browser, and enable two-factor authentication (a second login step, usually a code sent to your phone) wherever possible. Unit 42 recommends blocking outbound connections to the mining pool address pool.supportxmr[.]com at the network level. Their full list of file hashes, server addresses, and file paths is available in the published report.

© 2026 Threat Vectr