A new malware campaign is targeting traders and crypto users by abusing trust in popular platforms. Threat actors are posting fake “premium access” offers for TradingView across Reddit, tricking users into downloading malware that installs information stealers on both Windows and macOS systems.
Researchers from Hexastrike uncovered the operation after investigating multiple credential theft incidents. The campaign distributes two well-known malware families: Vidar targeting Windows users and AMOS targeting macOS environments.
Social Engineering Over Technical Complexity
Instead of sophisticated exploits, attackers rely heavily on social engineering. Posts promise “free TradingView Premium” access and provide step-by-step installation instructions. These posts appear in small or hijacked subreddits and are published using aged or compromised accounts to build credibility.
The threat actor demonstrates operational discipline:
- New domains replace blocked links quickly
- Warning comments are removed within minutes
- Posts appear consistently formatted, likely AI-generated
- Separate downloads are offered for Windows and macOS
This structured approach keeps the campaign active even as individual posts are taken down.
Windows Infection Chain: Vidar Stealer
On Windows, victims download a large ZIP archive from compromised legitimate websites. The extracted executable is artificially inflated to more than 700MB using null-byte padding — a technique designed to evade antivirus scanning limits.
Hidden within the file:
- A small self-extracting archive
- An obfuscated batch script disguised as an image
- Split malware fragments reconstructed at runtime
Once executed, the script rebuilds and launches the Vidar infostealer, which targets:
- Browser credentials
- Session cookies
- Saved autofill data
- Cryptocurrency wallet files
macOS Infection Chain: AMOS Stealer
macOS users receive a disk image styled to resemble a legitimate TradingView installer. The mounted DMG includes branding designed to appear authentic and trustworthy.
Inside the image:
- A compact Mach-O binary
- Runtime decryption logic
- Polymorphic payload execution
When launched, the binary decrypts and executes the AMOS stealer. The malware rapidly harvests data from major browsers including Chrome, Safari, Firefox, and Brave. It also targets cryptocurrency wallets such as Exodus, Electrum, and MetaMask before exfiltrating the data over HTTP.
Indicators of a Targeted Operation
The campaign’s infrastructure suggests deliberate targeting of traders and crypto users. Passwords for archives reference developer platforms like “github” and “codeberg,” designed to lower suspicion. Separate installers for different macOS versions show familiarity with Apple security controls.
Defensive Recommendations
Security teams and individuals should take immediate precautions:
- Block identified download domains at DNS and proxy layers
- Monitor for large ZIP downloads following Reddit browsing
- Flag suspicious wextract.exe behavior on Windows
- Watch for unsigned app execution on macOS
- Treat any exposure as a full credential compromise
Anyone who downloaded the fake installers should assume credentials, browser sessions, and crypto wallet keys are already stolen.
This campaign highlights a persistent truth in cybersecurity: cracked or “free premium” software remains one of the most effective delivery mechanisms for malware.
