Hackers Spread Vidar Infostealer via Fake Free Spotify

Cybercriminals are now actively exploiting popular social media platforms, including TikTok and Instagram, transforming them into potent malware distribution channels. They are deploying a deceptive campaign that promises <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/86dabbdf

Short-form video platforms like TikTok and Instagram Reels have become the latest tools in a cybercriminal’s playbook, with attackers posting polished tutorial videos that promise free Spotify Premium, free Windows activation, or free Microsoft Office.

Instead of the freebies they are after, viewers end up with a dangerous infostealer quietly running on their Windows devices. The shift marks a clear evolution in how attackers choose to reach their targets.

Cybercriminals have moved far beyond traditional phishing emails. Today, they are crafting content that looks and feels like everyday social media, blending in seamlessly with legitimate tech tips and tutorials.

The videos are so well-produced that many viewers do not suspect anything is wrong until the damage is already done. This approach lets attackers reach millions of people through the very platforms those people trust most.

Researchers at ReversingLabs uncovered two active campaigns using these short videos to trick users into running dangerous PowerShell commands or visiting malicious download sites.

Analysts at Malwarebytes said in a report shared with Cyber Security News (CSN) that similar campaigns have been flagged by other researchers and national cybersecurity agencies, pointing to a growing trend.

Cybercriminals are learning to exploit social media algorithms just as effectively as professional marketers, amplifying the reach of these attacks at almost no cost.

The malware at the center of these campaigns is Vidar, a well-known infostealer built to quietly siphon sensitive data from infected devices.

Once it lands on a machine, Vidar goes to work collecting saved browser passwords, autofill data, browser cookies, cryptocurrency wallet details, two-factor authentication data, and even TOR browser data.

Everything harvested is then sent back to servers controlled by the attackers, giving them a detailed key to the victim’s entire digital life.

Hackers Use Free Spotify Premium Hacks

The first campaign is deceptively polished. Accounts using names like “windows.tips” or “windows.insights” post videos designed to look like genuine tech support content, complete with Windows-style branding and professional editing.

The videos are tagged with Windows and Office-related keywords so they appear right alongside legitimate troubleshooting videos in search results and recommendation feeds.

Viewers are walked through step-by-step instructions that include opening PowerShell, a legitimate Windows administrative tool, and pasting in a set of commands.

Figure 1: Example of a fake Windows tutorial video used to deliver the Vidar infostealer (Image courtesy of ReversingLabs)

Those commands then silently download and execute the Vidar infostealer in the background, with the user none the wiser.

The technique closely mirrors what researchers have called ClickFix attacks, where users are socially engineered into running malicious code themselves, bypassing most traditional security defenses.

Vidar’s Evasion Tricks and Security Risks

Once Vidar is on a device, it does not just steal data and leave. Research into similar TikTok-based attack chains shows that the malicious scripts commonly add exclusions to Windows Defender, effectively blinding the built-in security tool to future threats.

This means even after the initial infection is cleaned up, the device can remain exposed to follow-on attacks.

The stolen information represents a serious risk beyond just one account or one platform. Browser cookies can be used to hijack active sessions without needing a password, and cryptocurrency wallet data can lead to direct financial loss.

Two-factor authentication data in the wrong hands can defeat even accounts that appear to be securely protected.

Security experts recommend downloading software only from official vendor websites and treating any “free” or cracked version of a paid product with real skepticism.

Users should avoid following instructions on unfamiliar web pages, especially those asking them to run commands or paste code, as many of these pages use countdown timers or fake user counters to push people into acting fast.

Checking that downloaded files match what was expected, verifying a file’s digital signature before running it, and keeping a real-time anti-malware solution active are all practical steps that can stop an infostealer before it ever runs.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.