Fake Free Spotify Premium Videos on TikTok and Instagram Are Spreading Vidar Infostealer

Hackers are using fake free Spotify Premium tutorials on TikTok and Instagram Reels to trick Windows users into installing malware. The campaign uses short videos that look like simple tech tips, but the instructions can lead to Vidar infostealer infections, according to ReversingLabs.

The videos promise free Spotify Premium, free Windows activation, Microsoft Office access, CapCut Pro, YouTube Premium, and other paid tools. Instead of unlocking those services, some clips push users toward PowerShell commands or suspicious download pages. Malwarebytes also warned that these social media posts are part of a wider move away from traditional phishing emails.

The main risk is simple: users are not just clicking a bad link. They are being persuaded to run commands on their own PCs. That gives attackers a better chance of bypassing normal suspicion, especially when the video looks polished and appears next to legitimate tutorials.

How the fake Spotify Premium scam works

The campaign uses two main tactics. In one version, fake Windows-themed accounts post professional-looking tutorials with names that resemble support pages. ReversingLabs researchers found examples using names such as windows.tips and windows.insights, along with Windows-like branding and search tags.

These videos tell viewers to open PowerShell and paste a command that appears to unlock Spotify Premium or another paid product. In reality, the command can download and run malware. Malwarebytes described the technique as similar to ClickFix scams, where victims are socially engineered into executing malicious code themselves.

A second version uses regular-looking social media accounts that post clips showing alleged free access to paid apps. The goal is to drive comments, replies, and shares. Once enough users show interest, the account redirects them to a separate tutorial, profile link, or download page.

What Vidar infostealer can steal

Vidar is a known infostealer that targets sensitive data stored on a Windows device. Trend Micro previously documented TikTok campaigns that used similar PowerShell instructions to deliver Vidar and StealC infostealers.

Once installed, Vidar can collect data that attackers can use for account theft, identity theft, financial fraud, or follow-up attacks. The risk is especially high when browser cookies or session tokens are stolen because attackers may be able to access accounts without needing the password again.

Data targeted	Why it matters
Saved browser passwords	Attackers can use them to log in to email, social media, banking, and work accounts.
Browser cookies	Stolen cookies can help attackers hijack active sessions.
Autofill data	Names, addresses, phone numbers, and payment details may be exposed.
Cryptocurrency wallets	Wallet files and keys can lead to direct financial loss.
Two-factor authentication data	Some stolen data can weaken account protections that users rely on.

Why these TikTok and Instagram attacks spread quickly

The videos work because they blend into normal social media feeds. They use short instructions, clean graphics, and familiar keywords. A viewer searching for a Windows tip or free Spotify Premium trick may see the malicious tutorial next to harmless content.

Engagement also helps the scam spread. Some videos ask users to comment, save, or share, which can push the post to more people. Trend Micro reported that one TikTok video in a similar campaign reached nearly 500,000 views, showing how quickly these attacks can scale.

Attackers can also remove warning comments or abandon accounts after a post gets reported. Even when one video disappears, another account can post a similar tutorial with a new domain, a new voiceover, or a slightly different offer.

Windows Defender exclusions can make cleanup harder

Some related attack chains add folders or files to Microsoft Defender exclusions. That matters because exclusions can stop Microsoft Defender Antivirus from scanning specific files, folders, or processes. Microsoft explains how these settings work in its guide to Microsoft Defender Antivirus exclusions.

This can create a second problem after the first infection. A user may delete the visible malware but leave behind security exclusions that make later attacks harder to detect. Microsoft says organizations generally should not need to define exclusions in many cases, and admins should review them carefully through Microsoft Defender Antivirus settings.

For home users, the lesson is clear. Do not run PowerShell, Command Prompt, Windows Run, or Terminal commands from a TikTok video, Instagram Reel, YouTube Short, Discord message, or unknown website unless you fully understand what the command does.

How to stay safe from fake free Spotify Premium malware

Users should treat any “free premium” or “software activation” video as suspicious, especially when it asks them to paste code. Paid services do not become free because of a one-line command in PowerShell.

• Download apps only from official vendor websites or trusted app stores.
• Do not install cracked, patched, or unofficial versions of paid software.
• Do not paste commands from social media posts into PowerShell or Windows Run.
• Check downloaded files before opening them.
• Look for suspicious pressure tactics, including countdown timers, fake user counters, and comment-to-unlock instructions.
• Keep Windows Security, browsers, and other software updated.
• Run a full security scan if you already followed one of these tutorials.

Businesses should also update security training. Employees may understand email phishing but still trust short social media videos, especially when they appear to offer a quick fix for Windows, Office, or productivity software.

The safest response is to ignore these tutorials, report the account, and use official software channels. Free Spotify Premium hacks, Windows activation tricks, and Microsoft Office cracks are now common bait for malware campaigns that can steal far more than one app login.

FAQ