Back to Intelligence

X3D MINER & Rare Werewolf: Vidar Stealer, XMRig, and AnyDesk Campaigns — OTX Pulse Analysis

SA
Security Arsenal Team
July 9, 2026
5 min read

Recent OTX pulses highlight a convergence of financially motivated malware and targeted espionage. The X3D MINER actor is actively distributing the Vidar Stealer alongside the XMRig cryptocurrency miner through malvertising campaigns that abuse code signing certificates. Simultaneously, the Rare Werewolf threat group is conducting precision spear-phishing attacks against Russian aerospace entities, leveraging AnyDesk for persistence and living-off-the-land binaries. A third campaign involves the subversion of Meta's Business Account Manager service to deliver phishing lures, exfiltrating credentials via Telegram.

Threat Actor / Malware Profile

X3D MINER

  • Objective: Financial gain via credential theft and cryptojacking.
  • Malware: Vidar Stealer (info stealer), XMRig (Monero miner).
  • Distribution: Malvertising leading to password-protected archives.
  • Techniques: Go-compiled loaders (Factory-v3), AMSI bypass, code signing abuse (mimicking legitimate certificates).

Rare Werewolf

  • Objective: Espionage/Surveillance.
  • Target: Russian Aerospace/Aviation.
  • Malware: AnyDesk (abused legitimate RAT).
  • Techniques: Spear-phishing (invoice-themed), scheduled task persistence, SMTP exfiltration, LotL binaries.

Unknown (Meta Phishing)

  • Objective: Credential Harvesting (Business Accounts).
  • Vector: Abuse of Meta Business Manager partner mechanism.
  • Techniques: URL embedding in business names, Facebook Messenger chatbots, Telegram exfiltration.

IOC Analysis

The provided indicators encompass a wide range of artifacts suitable for immediate blocking and hunting:

  • File Hashes (MD5/SHA1/SHA256): Numerous samples of the Go loaders, Vidar payloads, and XMRig binaries. These should be loaded into EDR quarantine lists and scanned for historical presence.
  • Network Infrastructure (IPv4):
    • 136.243.203.109 (Germany, Hetzner) - Associated with X3D MINER C2.
    • 194.87.57.81, 109.106.178.14 - Associated with Rare Werewolf infrastructure.
    • Action: Block at perimeter firewalls and monitor internal egress traffic for connections.
  • Domains/URLs:
    • aussiecleaningservices.com, api.goautolink.com, https://sw.run/Verification - Phishing landing pages and C2.
    • Action: Block via DNS sinkhole and web proxy.

Detection Engineering

YAML
---
title: Persistence via Scheduled Task - Remote Access Tool
id: 89b2d7f8-1c3e-4a5f-9b6d-7c8e9f0a1b2c
description: Detects creation of scheduled tasks that launch remote access tools like AnyDesk, a technique used by the Rare Werewolf group.
status: experimental
author: Security Arsenal
date: 2026/07/09
references:
    - https://otx.alienvault.com/pulse/6603d91f677f757f2fe41e73/
tags:
    - attack.persistence
    - attack.s0111
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: \schtasks.exe
        CommandLine|contains: '/create'
    filter_legit:
        SubjectUserName:
            - 'SYSTEM'
            - 'ADMINISTRATOR'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative automation
level: high
---
title: Suspicious Execution via Password-Protected Archives
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects processes spawned from archiving tools like WinRAR or 7-Zip, a common delivery vector for Vidar Stealer and XMRig.
status: experimental
author: Security Arsenal
date: 2026/07/09
references:
    - https://otx.alienvault.com/pulse/6603d91f677f757f2fe41e73/
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith:
            - '\WinRAR.exe'
            - '\7zFM.exe'
            - '\7zG.exe'
    selection_child:
        Image|endswith:
            - '.exe'
            - '.bat'
            - '.ps1'
    filter_legit:
        Image:
            - 'C:\Windows\System32\cmd.exe'
            - 'C:\Windows\System32\powershell.exe'
    condition: selection_parent and selection_child and not filter_legit
falsepositives:
    - Users manually installing software from archives
level: medium
---
title: Potential Telegram C2 Communication
id: f1e2d3c4-b5a6-7b8c-9d0e-1f2a3b4c5d6e
description: Detects processes connecting to Telegram API endpoints, often used for data exfiltration by phishers abusing Meta Business Manager.
status: experimental
author: Security Arsenal
date: 2026/07/09
references:
    - https://otx.alienvault.com/pulse/6603d91f677f757f2fe41e73/
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'api.telegram.org'
        Initiated: 'true'
    filter_legit_browsers:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: selection and not filter_legit_browsers
falsepositives:
    - Legitimate use of Telegram desktop client or webhooks
level: high


kql
// Hunt for X3D MINER and Rare Werewolf Indicators
// Network connections to known C2 infrastructure
DeviceNetworkEvents
| where RemoteIP in ("136.243.203.109", "194.87.57.81", "109.106.178.14")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc

// Hunt for Vidar/XMRig process execution patterns
DeviceProcessEvents
| where FileName in ("xmrig.exe", "AnyDesk.exe") or 
   SHA256 in ("03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7", "0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0")
| project Timestamp, DeviceName, AccountName, FileName, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc


powershell
# IOC Hunt Script for Vidar, XMRig, and Rare Werewolf
# Checks for file hashes, scheduled tasks, and network connections

$TargetHashes = @(
    "03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7",
    "6b7ff061eebeb9ead8812c410247768a7ba90786aeeb1bafa6412cc5b08237b5",
    "b830f043076a12748b6a2dc0810ece85439ee77434d991ae7d84201b09ead756",
    "68ced9d7c1b1ff8ffb5f56c7d3f849d4fd16a1b95324426811424b40043d6d25",
    "0dc0fa727f900ed5033f46f8ba6cf2d97d20ab95fd334cabc0f216da6e0622b0",
    "12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33",
    "47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4",
    "f57e010541fb4ccbf23aefc4a827f753a6ff3f8792d9c04c3eea83f6963c6bae"
)

$TargetIPs = @("136.243.203.109", "194.87.57.81", "109.106.178.14")
$SuspiciousProcesses = @("AnyDesk.exe", "xmrig.exe", "mshta.exe")

Write-Host "Scanning for known malicious file hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $_.Extension -in @(".exe", ".dll", ".ps1") } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $hash" -ForegroundColor Red
        }
    }

Write-Host "`nChecking for suspicious network connections..." -ForegroundColor Cyan
Get-NetTCPConnection -ErrorAction SilentlyContinue | 
    Where-Object { 
        $TargetIPs -contains $_.RemoteAddress -and 
        $_.State -eq "Established" 
    } | 
    ForEach-Object {
        $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[!] SUSPICIOUS CONNECTION: RemoteIP=$($_.RemoteAddress) | Process=$($proc.ProcessName) (PID=$($_.OwningProcess))" -ForegroundColor Red
    }

Write-Host "`nChecking for AnyDesk or XMRig processes..." -ForegroundColor Cyan
Get-Process | Where-Object { $SuspiciousProcesses -contains $_.ProcessName } | 
    ForEach-Object {
        Write-Host "[!] SUSPICIOUS PROCESS RUNNING: $($_.ProcessName) (PID=$($_.Id))" -ForegroundColor Yellow
    }

Write-Host "`nHunt complete." -ForegroundColor Green


# Response Priorities

**Immediate (0-24h):**
*   **Block IOCs:** Immediately block all listed IPv4 addresses, domains (`aussiecleaningservices.com`, `api.goautolink.com`), and URLs at the firewall and proxy level.
*   **Hunt for Execution:** Run the provided PowerShell script across endpoints to detect presence of Vidar/XMRig file hashes or active AnyDesk sessions not authorized by IT.
*   **Suspend Suspicious Accounts:** If logs indicate interaction with the Meta phishing URLs, reset credentials for affected business accounts.

**Within 24 Hours:**
*   **Credential Audit:** Conduct a review of accounts that may have been compromised by Vidar (stealer) or the Meta campaign. Enforce MFA resets.
*   **Scheduled Task Review:** Audit Windows Scheduled Tasks on critical servers (especially aerospace-facing if applicable) for unauthorized entries launching unknown binaries or AnyDesk.

**Within 1 Week:**
*   **Architecture Hardening:** Implement strict code signing policies to prevent execution of the unsigned/rogue-signed Go loaders used by X3D MINER.
*   **Email Filtering:** Update secure email gateways to flag emails originating from Meta Business Manager that contain URLs in the display name or body, bypassing standard DKIM/SPF checks.
*   **Application Control:** Block the execution of unauthorized archiving tools (like WinRAR) from untrusted locations or restrict their ability to spawn child processes.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptvidar-stealerxmrigrare-werewolfanydeskmeta-phishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.