Vidar Infostealer Spread Through Fake TikTok and Instagram Software Tutorials
Attackers are using TikTok and Instagram Reels to distribute Vidar infostealer through polished short videos that impersonate trusted brands and promise free access to premium software such as Spotify Premium and Microsoft Word. Reporting citing ReversingLabs says the clips use tutorial-style content, AI-generated voiceovers, and engagement bait to persuade users either to visit malicious download pages or to paste terminal and PowerShell commands that silently retrieve and run the malware.
The campaign replaces traditional phishing emails with social media-driven social engineering and benefits from recommendation algorithms and weak moderation, with one tracked video reportedly surpassing 109,000 views. Vidar, a malware-as-a-service infostealer, can steal passwords, banking data, browser cookies, credentials, and session tokens, while researchers said attacker accounts were able to evade reporting, delete warning comments, and block users who raised concerns. Defenders were urged to treat social platforms as an active malware delivery channel, restrict software installation rights, and train users not to execute untrusted commands from online videos.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
ReversingLabs publishes IOCs for Vidar social-media campaigns
ReversingLabs published indicators of compromise to help defenders detect activity tied to the Vidar infostealer campaigns spread through TikTok and Instagram Reels. The IOCs accompanied its reporting on the fake software tutorial and promotional-video lures used in the operation.
ReversingLabs documents social-media Vidar delivery campaign
ReversingLabs documented malware campaigns on TikTok and Instagram Reels that used fake free-software tutorial videos and promotional clips to trick users into downloading or executing Vidar infostealer payloads. The lures impersonated trusted brands and directed victims either to malicious download pages or to run terminal or PowerShell commands that fetched the malware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer
cybersecuritynews.com
Open sourceFake Spotify Premium tutorials on TikTok and Instagram Reels spread malware - Help Net Security
helpnetsecurity.com
Open sourceScammers use short videos on social media to spread Vidar infostealer | brief | SC Media
scworld.com
Open sourceHackers Abuse TikTok and Instagram Reels to Spread Malware via Fake Free Software Tutorials
cybersecuritynews.com
Open sourceinstagram.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vidar Infostealer Uses JPEG/TXT Payload Hiding and Fake Software Lures
Researchers reported that updated **Vidar** infostealer campaigns are using steganography, fileless execution, and social-engineering lures to evade detection and steal corporate and consumer data. Point Wild and Intrinsec found infections delivered through fake GitHub repositories, compromised WordPress sites showing **ClickFix**-style fake CAPTCHA prompts, gaming cheat posts on Reddit and Discord, and bogus software promoted in YouTube videos and hosted on services such as Mediafire. In one chain, a fake tool named **NeoHub** dropped a malicious DLL disguised as a Microsoft Edge component and signed with counterfeit certificates impersonating GitHub and grow.com. The malware uses VBScript, obfuscated PowerShell, a Go-based loader, and trusted Windows binaries including `WScript`, `PowerShell`, and `RegAsm.exe` to fetch apparently harmless JPEG and TXT files that contain hidden Base64-encoded second-stage payloads, then reconstructs and executes them entirely in memory through .NET reflective loading. Researchers said Vidar now operates as a **Malware-as-a-Service** offering, uses Telegram and Dead Drop Resolver techniques via public Steam profiles to locate command-and-control infrastructure, and exfiltrates credentials, cookies, payment data, cryptocurrency wallet files, and information from more than 200 browser extensions, often through Telegram and Cloudflare-fronted domains to mask attacker activity.
May 11, 2026
ClickFix Social Engineering Attacks Using TikTok Videos to Deliver Information-Stealing Malware
Threat actors have begun exploiting TikTok as a platform to distribute information-stealing malware through a new social engineering technique known as ClickFix. Attackers create TikTok videos that masquerade as tutorials for obtaining free software licenses, such as Adobe Photoshop or Microsoft Windows, enticing users with the promise of bypassing legitimate licensing requirements. These videos instruct viewers to execute specific commands in PowerShell with administrative privileges, a step that ultimately leads to the download and execution of malicious payloads. Security consultant Xavier Mertens, writing for the SANS Internet Storm Center, identified several live TikTok videos promoting these scams, some of which had garnered significant engagement from users. The primary malware delivered in these campaigns is AuroStealer, also referred to as Aura Stealer, a Trojan designed to exfiltrate credentials, system information, and potentially data from browser extensions and two-factor authentication tools. The ClickFix technique is particularly insidious because it circumvents traditional anti-phishing defenses by convincing users to take direct, risky actions on their own systems. ZDNET’s investigation revealed a surprising number of active scam videos on TikTok, with attackers frequently updating their content to evade detection. The social engineering aspect of ClickFix relies on the perceived legitimacy and popularity of TikTok influencers, making the scam more convincing to unsuspecting users. Once the PowerShell command is executed, the victim’s system downloads 'Updater.exe,' which is the malicious payload, and may also execute additional shellcode in memory to further compromise the device. The impact of these attacks can be severe, as AuroStealer is capable of harvesting sensitive information from a wide range of applications and browsers, potentially leading to account takeovers and further compromise. Security experts warn that the use of mainstream social media platforms like TikTok for malware distribution represents an evolution in threat actor tactics, leveraging the trust and reach of these networks. The attacks highlight the need for increased user awareness and skepticism regarding software activation guides and similar content on social media. Organizations are advised to educate employees about the risks of following unsolicited technical instructions from unverified online sources. The incident underscores the importance of monitoring emerging social engineering trends and adapting security controls to address new delivery vectors. Both references emphasize the role of TikTok as a delivery mechanism and the sophistication of the ClickFix technique in bypassing conventional security measures. The campaign demonstrates how attackers are constantly seeking new communication channels to reach potential victims and distribute malware effectively. Security professionals recommend implementing technical controls to restrict the execution of unauthorized scripts and monitoring for suspicious PowerShell activity. The ongoing prevalence of these scams on TikTok suggests that threat actors will continue to exploit popular social platforms for malicious purposes unless proactive measures are taken.
Mar 21, 2026
ClickFix Social Engineering Attacks Spread Infostealers via TikTok and Other Channels
Cybercriminals are increasingly leveraging ClickFix-style social engineering attacks to distribute information-stealing malware, with a notable surge in campaigns utilizing popular platforms such as TikTok. In these attacks, threat actors create videos or web pages that purport to offer legitimate activation guides or fixes for widely used software, including Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro. The core technique involves tricking users into copying and pasting malicious PowerShell commands or scripts into their systems, often under the guise of resolving software issues or unlocking premium features. Once executed, these commands connect to attacker-controlled infrastructure to download and run additional payloads, such as the Aura Stealer malware, which is designed to harvest browser credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data. The attacks are highly effective due to their use of legitimate-looking lures, such as fake CAPTCHAs, embedded instructional videos, and professional web design, which lower user suspicion and bypass traditional security awareness training that focuses on phishing links and suspicious downloads. Security researchers have linked these tactics to both financially motivated cybercriminal groups, such as Interlock ransomware, and state-sponsored advanced persistent threats (APTs). Recent public breaches at organizations like Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been attributed to ClickFix-style techniques, though the full extent of their impact is likely underreported. The attacks are further amplified by the viral nature of social media platforms, where malicious videos can quickly reach large audiences. Technical analysis reveals that the malicious scripts often use JavaScript to automate clipboard actions, making the attack seamless for the victim. Once the initial payload is executed, additional malware may be downloaded to establish persistence or exfiltrate data. Security experts warn that user education must evolve to address these new attack vectors, emphasizing the dangers of running copied commands and the importance of verifying the source of any technical instructions. Organizations are advised to implement technical controls to block suspicious script execution and to monitor for signs of credential theft and unauthorized access. The growing prevalence of ClickFix attacks highlights the need for a multi-layered defense strategy that combines user awareness, endpoint protection, and proactive threat intelligence.
Mar 21, 2026