Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Fake TradingView Premium Posts on Reddit Deliver Vidar and AMOS Stealers
Threats

Fake TradingView Premium Posts on Reddit Deliver Vidar and AMOS Stealers

Key Takeaways A persistent threat actor is leveraging Reddit with fake “TradingView Premium” posts to distribute information-stealing malware. The campaign targets both Windows users with...

Jennifer sherman
Jennifer sherman
April 7, 2026 4 Min Read
33 0

Key Takeaways

  • A persistent threat actor is leveraging Reddit with fake “TradingView Premium” posts to distribute information-stealing malware.
  • The campaign targets both Windows users with the Vidar stealer and macOS users with the AMOS stealer.
  • The attackers employ sophisticated operational tactics, including rapidly changing infrastructure, using aged Reddit accounts, and employing anti-analysis techniques.
  • Victims risk compromise of browser credentials, session cookies, and cryptocurrency wallet keys.

Cybersecurity researchers have uncovered an active campaign on Reddit that exploits users’ desire for free premium software, specifically targeting those seeking a complimentary subscription to TradingView. This operation is designed to deliver two distinct information-stealing malware families: Vidar for Windows systems and AMOS for macOS. The threat actor demonstrates significant operational discipline, continuously refreshing their tactics as older posts are flagged and removed, ensuring the malware distribution persists.

Table Of Content

  • Key Takeaways
  • Operational Sophistication
  • The Infection Mechanism
  • Windows Infection Chain
  • macOS Infection Chain
  • What You Should Do

TradingView is a popular charting platform among retail traders, cryptocurrency investors, and forex enthusiasts, offering advanced features and real-time market data through its Premium subscription. The high cost of this subscription creates a fertile ground for threat actors to lure users with promises of illicit free access.

The attackers capitalize on this demand by posting detailed, step-by-step instructions across various subreddits, some of which appear to be hijacked, while others were likely created for this specific purpose. These instructions guide unsuspecting victims through the entire infection process, meticulously designed to avoid immediate suspicion.

Operational Sophistication

Analysts at Hexastrike traced these infections back to Reddit during investigations into recent stealer compromises. Their findings reveal a single threat actor operating across at least five subreddits, utilizing aged, purchased, or compromised accounts to establish a veneer of credibility.

The campaign’s effectiveness stems not from technical complexity, but from its robust operational discipline. Researchers noted several key characteristics:

  • Hosting domains are rapidly rotated the moment they are identified and flagged.
  • Warning comments from legitimate users are swiftly deleted within minutes of being posted.
  • The language used in the posts appears to be generated by a large language model (LLM), maintaining a consistent and professional tone across the campaign.

Evidence of this strategic account usage includes subreddits like r/BitBullito and r/CryptoCurrencyDM, which had only two and 29 subscribers, respectively. Yet, the accounts posting within them were three to six years old, lending false legitimacy. For instance, the account u/BroadDepartment573, despite possessing a “Four Year Club” Reddit trophy, had only a single post in its entire history, a clear indicator of its likely misuse for this campaign.

Each malicious post adheres to a consistent template, falsely claiming that the software has been reverse-engineered with all license checks removed, promising “premium access unlocked forever.” The posts also offer separate download links specifically tailored for Windows, macOS, and macOS 15. This level of platform targeting indicates the actor’s awareness of Apple’s Gatekeeper restrictions in macOS Sequoia, demonstrating an understanding of platform-specific security measures.

The Infection Mechanism

The malware payloads are hosted on compromised legitimate business websites, further enhancing the perceived trustworthiness of the download links.

Windows Infection Chain

For Windows users, the downloaded executable is significantly bloated to over 784 megabytes. This is achieved by padding its PE resource section with null bytes, a technique designed to exceed the typical scan limits of many antivirus solutions, allowing the malicious code to evade detection.

Hidden beneath this padding is a compact 44-kilobyte self-extracting cabinet. This archive drops a batch script named “Receipt.gif.” Despite its image file extension, this is a 235-line obfuscated script. It reassembles a Vidar infostealer from fragmented files using character substitution, a method intended to bypass signature-based antivirus detection. The password for this archive—either “github” or “codeberg”—is explicitly provided in the Reddit thread itself, chosen to evoke legitimate developer platforms and reduce user suspicion.

macOS Infection Chain

On macOS, the downloaded file is a disk image (.dmg). When mounted, it presents a TradingView-branded background, mimicking a genuine software installer. Inside the disk image is a concise 217-kilobyte Mach-O binary. This binary decrypts an AMOS stealer at runtime through a polymorphic XOR loop, making it harder for static analysis tools to identify.

Upon execution, the AMOS stealer rapidly harvests sensitive information. This includes credentials and cookies from popular web browsers such as Chrome, Firefox, Safari, Brave, Edge, and Opera. It also targets cryptocurrency wallet files from applications like Exodus, Electrum, and MetaMask. All exfiltrated data is then transmitted over HTTP within seconds.

What You Should Do

  • Block Malicious Domains: Add any identified distribution domains to your organization’s web proxy and DNS blocklists immediately.
  • Monitor Network Traffic: Implement monitoring for unusual patterns, such as Reddit browsing sessions quickly followed by large ZIP downloads from unrelated or suspicious domains.
  • Enhance Endpoint Detection:
    • On Windows: Configure your endpoint detection and response (EDR) solutions to flag instances where wextract.exe spawns cmd.exe with delayed variable expansion.
    • On macOS: Monitor for unsigned applications making calls to osascript or performing unexpected dscl authonly credential validation attempts.
  • Assume Compromise if Exposed: If there is any doubt about potential exposure, treat it as a confirmed compromise. All browser passwords, session cookies, and cryptocurrency wallet keys should be considered stolen. Promptly change all compromised passwords and migrate cryptocurrency holdings to new, secure wallets.
  • Educate Users: Reinforce the dangers of downloading cracked or pirated software. Emphasize that such practices are consistently exploited by threat actors to distribute malware.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

ExploitHackerMalwareThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Windows Defender RCE: Critical CVE-2023-21752 Lets Attackers Gain Full Access

Next Post

Critical OpenAI Codex Bug Exposed GitHub User Tokens

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us