Fake TradingView Premium Posts on Reddit Deliver Vidar and AMOS Stealers
Key Takeaways A persistent threat actor is leveraging Reddit with fake “TradingView Premium” posts to distribute information-stealing malware. The campaign targets both Windows users with...
Key Takeaways
- A persistent threat actor is leveraging Reddit with fake “TradingView Premium” posts to distribute information-stealing malware.
- The campaign targets both Windows users with the Vidar stealer and macOS users with the AMOS stealer.
- The attackers employ sophisticated operational tactics, including rapidly changing infrastructure, using aged Reddit accounts, and employing anti-analysis techniques.
- Victims risk compromise of browser credentials, session cookies, and cryptocurrency wallet keys.
Cybersecurity researchers have uncovered an active campaign on Reddit that exploits users’ desire for free premium software, specifically targeting those seeking a complimentary subscription to TradingView. This operation is designed to deliver two distinct information-stealing malware families: Vidar for Windows systems and AMOS for macOS. The threat actor demonstrates significant operational discipline, continuously refreshing their tactics as older posts are flagged and removed, ensuring the malware distribution persists.
Table Of Content
TradingView is a popular charting platform among retail traders, cryptocurrency investors, and forex enthusiasts, offering advanced features and real-time market data through its Premium subscription. The high cost of this subscription creates a fertile ground for threat actors to lure users with promises of illicit free access.
The attackers capitalize on this demand by posting detailed, step-by-step instructions across various subreddits, some of which appear to be hijacked, while others were likely created for this specific purpose. These instructions guide unsuspecting victims through the entire infection process, meticulously designed to avoid immediate suspicion.
Operational Sophistication
Analysts at Hexastrike traced these infections back to Reddit during investigations into recent stealer compromises. Their findings reveal a single threat actor operating across at least five subreddits, utilizing aged, purchased, or compromised accounts to establish a veneer of credibility.
The campaign’s effectiveness stems not from technical complexity, but from its robust operational discipline. Researchers noted several key characteristics:
- Hosting domains are rapidly rotated the moment they are identified and flagged.
- Warning comments from legitimate users are swiftly deleted within minutes of being posted.
- The language used in the posts appears to be generated by a large language model (LLM), maintaining a consistent and professional tone across the campaign.
Evidence of this strategic account usage includes subreddits like r/BitBullito and r/CryptoCurrencyDM, which had only two and 29 subscribers, respectively. Yet, the accounts posting within them were three to six years old, lending false legitimacy. For instance, the account u/BroadDepartment573, despite possessing a “Four Year Club” Reddit trophy, had only a single post in its entire history, a clear indicator of its likely misuse for this campaign.
Each malicious post adheres to a consistent template, falsely claiming that the software has been reverse-engineered with all license checks removed, promising “premium access unlocked forever.” The posts also offer separate download links specifically tailored for Windows, macOS, and macOS 15. This level of platform targeting indicates the actor’s awareness of Apple’s Gatekeeper restrictions in macOS Sequoia, demonstrating an understanding of platform-specific security measures.
The Infection Mechanism
The malware payloads are hosted on compromised legitimate business websites, further enhancing the perceived trustworthiness of the download links.
Windows Infection Chain
For Windows users, the downloaded executable is significantly bloated to over 784 megabytes. This is achieved by padding its PE resource section with null bytes, a technique designed to exceed the typical scan limits of many antivirus solutions, allowing the malicious code to evade detection.
Hidden beneath this padding is a compact 44-kilobyte self-extracting cabinet. This archive drops a batch script named “Receipt.gif.” Despite its image file extension, this is a 235-line obfuscated script. It reassembles a Vidar infostealer from fragmented files using character substitution, a method intended to bypass signature-based antivirus detection. The password for this archive—either “github” or “codeberg”—is explicitly provided in the Reddit thread itself, chosen to evoke legitimate developer platforms and reduce user suspicion.
macOS Infection Chain
On macOS, the downloaded file is a disk image (.dmg). When mounted, it presents a TradingView-branded background, mimicking a genuine software installer. Inside the disk image is a concise 217-kilobyte Mach-O binary. This binary decrypts an AMOS stealer at runtime through a polymorphic XOR loop, making it harder for static analysis tools to identify.
Upon execution, the AMOS stealer rapidly harvests sensitive information. This includes credentials and cookies from popular web browsers such as Chrome, Firefox, Safari, Brave, Edge, and Opera. It also targets cryptocurrency wallet files from applications like Exodus, Electrum, and MetaMask. All exfiltrated data is then transmitted over HTTP within seconds.
What You Should Do
- Block Malicious Domains: Add any identified distribution domains to your organization’s web proxy and DNS blocklists immediately.
- Monitor Network Traffic: Implement monitoring for unusual patterns, such as Reddit browsing sessions quickly followed by large ZIP downloads from unrelated or suspicious domains.
- Enhance Endpoint Detection:
- On Windows: Configure your endpoint detection and response (EDR) solutions to flag instances where
wextract.exespawnscmd.exewith delayed variable expansion. - On macOS: Monitor for unsigned applications making calls to
osascriptor performing unexpecteddscl authonlycredential validation attempts.
- On Windows: Configure your endpoint detection and response (EDR) solutions to flag instances where
- Assume Compromise if Exposed: If there is any doubt about potential exposure, treat it as a confirmed compromise. All browser passwords, session cookies, and cryptocurrency wallet keys should be considered stolen. Promptly change all compromised passwords and migrate cryptocurrency holdings to new, secure wallets.
- Educate Users: Reinforce the dangers of downloading cracked or pirated software. Emphasize that such practices are consistently exploited by threat actors to distribute malware.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.