Cybercriminals turn TikTok and Instagram videos into Vidar malware traps

Trick users into installing malware that steals passwords, personal data, and crypto wallets

By
Mohammed Fahad
-
malware
Helsinki, Finland, May 4, 2019: Tik Tok application icon on Apple iPhone X screen close-up. Tik Tok icon. tik tok application. Tiktok Social media network. Social media icon
Google search engine
  • Viewers are instructed to paste commands into Windows PowerShell to “unlock” premium features — a step that delivers the Vidar infostealer payload.

Cybercriminals are swapping phishing emails for viral “hack” tutorials on TikTok and Instagram to trick users into installing malware that steals passwords, personal data, and crypto wallets, according to new research from ReversingLabs.

The campaigns dangle free upgrades or activations for popular software and services — including Spotify Premium, Windows, Microsoft Office, and Adobe tools — then funnel viewers to secondary sites hosting malicious downloads.

ReversingLabs threat intel researcher Zaria Vuksan said attackers mass-produce short, polished videos with professional voice-overs and clean graphics, often using handles and imagery mimicking official brands, such as “windows.tips” or “window.insight.”

Unlocking premium features

Some posts gathered more than 100,000 views, boosting their chances of appearing in user feeds. Viewers are instructed to paste commands into Windows PowerShell to “unlock” premium features — a step that delivers the Vidar infostealer payload.

A second tactic leans on engagement bait: creators flaunt supposedly unlocked premium features in casual, music-backed clips and wait for comments asking how to replicate the trick. After building trust and traction, they reply with instructions or links to malicious sites.

Advertisment

Researchers said takedown attempts were sometimes rejected and that platforms’ moderation tools can hinder community warnings, since creators can delete critical comments and block users.

Malwarebytes, summarising the ReversingLabs findings, said Vidar silently exfiltrates:

  • Browser data: saved passwords, cookies, autofill, and some 2FA data
  • System info: device and installed software details
  • App credentials: usernames and passwords for installed services
  • Crypto wallets: private keys and wallet data

First observed in 2018, Vidar is built to steal information and send it to attacker-controlled servers. To avoid these scams, researchers advise never running PowerShell/Terminal commands from untrusted sources; treating social media “tips” — even from official-looking accounts — with scepticism; using only official channels for subscriptions and downloads; and maintaining real-time, up-to-date anti-malware protection.

Discover more from TechChannel News

Subscribe to get the latest posts sent to your email.