Most of the security stories I write about start with a flaw in something you bought. This one starts with something a good employee does on an ordinary Tuesday: they go looking for a piece of software, they find a "free" copy, and they download it. No hacker had to break anything. They were invited in.
That's the uncomfortable heart of a campaign that security researchers at Palo Alto Networks' Unit 42 detailed on July 7. It doesn't exploit a bug in your firewall or your antivirus — it exploits a search result. And it's aimed squarely at small and mid-sized businesses like the ones we serve across Texas.
⚡ The 60-Second Version
>
- What: A financially motivated "malvertising" campaign — poisoned ads and web pages that push fake "free" or "cracked" versions of popular software. The download quietly installs the Vidar infostealer, which vacuums up your saved passwords, browser session cookies, and crypto wallets, plus a hidden Monero cryptominer that runs your computers hot to make the crooks money on the side. Unit 42 tied 99 separate loader samples to it, and it's hitting consumers and SMBs worldwide, especially in the U.S. and EU.
- Fix: There's no patch to install — this one is about policy and habits, not a version number. Ban unapproved software downloads, turn on multi-factor authentication everywhere, and stop letting browsers save passwords.
- By when: Now. When there's no vulnerability to fix, the only thing standing between your business and this is what your people do next.
How the trap actually works
The chain is depressingly simple, and that's what makes it effective.
Someone on your team needs a tool — a PDF editor, a design program, a utility they used at a previous job. Money's tight, so they search for a free or "cracked" copy. Thanks to malvertising — malicious ads and search-engine manipulation — the top result they click is a slick page impersonating that software. They download a file, and because it arrives inside a password-protected archive, it sails right past email filters and many antivirus scanners, which can't peek inside a locked file.
They open it, type the password the page gave them, and run the installer. Nothing looks wrong. But behind the scenes, a loader has just dropped two payloads: Vidar, which starts stealing, and XMRig, which starts mining.
Why an infostealer is worse than it sounds
"Password stealer" undersells it. In seconds, Vidar can harvest every password your browser has saved, your autofill and browsing data, and — the part that matters most — your active session cookies.
Session cookies are the little tokens that keep you logged in so you don't re-enter your password all day. If an attacker steals a live cookie for your email or your bank, they can sometimes walk straight into that account without a password and without triggering your MFA prompt, because as far as the service is concerned, they're already you. Those stolen credentials are exactly the raw material that fuels the next break-in — the same pattern we saw with the recent wave of leaked firewall logins. One "free download" on one laptop can hand a criminal the keys to your Microsoft 365, your accounting software, and your line of credit.
Meanwhile, XMRig sits in the background mining Monero cryptocurrency, burning your electricity and slowing your machines to line the attackers' pockets. Researchers call this "dual monetization" — they sell your passwords and rent out your CPU. You lose twice.
Why your antivirus might not catch it
This campaign was built specifically to slip past the automated defenses most businesses rely on. Unit 42 documented several tricks:
- Forged trust. The malware is signed with fake code-signing certificates impersonating real, legitimate companies, so it looks "verified" to Windows.
- Bloated files. The installers are padded with hundreds of megabytes of empty data — in one case up to roughly 491 MB — because many security sandboxes skip files that big to save time.
- Disabling the guards. It tampers with Windows' built-in scanning (a technique called an AMSI bypass) and disguises its own files to look like legitimate Windows Defender components.
- Digging in. It sets up multiple ways to survive a reboot — a registry startup key, a scheduled task, and a startup-folder script — so a simple restart won't clear it.
None of that requires a genius attacker — it's a rented, off-the-shelf toolkit. The sophistication is aimed at your tools; the entry point is aimed at your people.
What this means for your business
Here's what I'd do this week, in order:
- Make "no cracked or pirated software" a written rule. This is the single lure the whole campaign depends on. Say it plainly to your team, and explain why — one shortcut can compromise the whole company. It's not about being cheap; it's about not inviting a thief inside.
- Lock down who can install software. On a well-run network, ordinary users shouldn't be able to install whatever they download. Restricting installs to approved sources stops most of these infections cold.
- Turn on MFA everywhere — and use an app or hardware key, not text messages. Cookie theft can sometimes skip MFA, so pair it with the next two steps.
- Stop saving passwords in the browser. Move everyone to a real password manager. If a machine is ever suspected, assume every password stored in its browser is already gone and rotate them.
- Trust the "my computer is suddenly slow and hot" complaint. Fans roaring for no reason can be a cryptominer — treat an unexplained performance drop as a reason to investigate, not a reason to shrug.
How BVTech helps
If you're a BVTech managed client, most of this is already handled for you: we restrict who can install software, run endpoint protection that watches for this behavior rather than just known file names, enforce MFA, and monitor for your credentials showing up where they shouldn't. That's the whole point of managing it for you — so one bad click on one laptop doesn't become a company-wide emergency.
If you're not a client and you're not sure your team could resist a convincing "free download," that's worth a conversation. You can book a call, look over our cybersecurity services, or run your business through our free Security Scoreboard to see where you stand today.
The tools we buy will keep having flaws. But the front door this campaign uses is human, and that one we can actually close together.
— Jordan Polasek · Founder, BVTech LLC