Back

Fake Software Tutorials on Social Media Spread Vidar Infostealer Malware

Severity: High (Score: 67.5)

Sources: Infosecurity-Magazine, Feeds2.Feedburner, Cybersecuritynews, Scworld

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: vidar, infostealer, tiktok, scammers, short, videos, spread

Severity indicators: stealer, infostealer

Summary

Cybercriminals are using TikTok and Instagram Reels to distribute the Vidar infostealer malware through fake software tutorials. These videos promise free access to premium applications like Spotify Premium and Microsoft Word, misleading users into executing terminal commands that download malware. Two campaigns have been identified: one featuring polished tutorials and another using casual clips to bait users into clicking links to malicious sites. The malware, sold as a service, can steal sensitive information such as passwords and banking data. Videos have gained significant traction, with one tutorial reaching over 109,000 views. The attack method exploits social media algorithms favoring saved and shared content, making it challenging to combat. Organizations are advised to enhance training and encourage reporting of suspicious content. Key Points: • Cybercriminals exploit social media platforms to distribute Vidar infostealer malware. • Fake tutorials promise free premium software, misleading users into executing harmful commands. • One video reached over 109,000 views, highlighting the effectiveness of this attack method.

Detailed Analysis

**Impact** Users of TikTok and Instagram Reels globally are targeted, with campaigns reaching over 100,000 views per video. Individuals seeking free access to premium software such as Spotify Premium and Microsoft Word are at risk of credential theft, financial data compromise, and loss of authentication tokens. The malware affects personal and potentially corporate users who execute commands or download files from fraudulent sites, risking data breaches and unauthorized access. No specific sectors or geographic regions beyond platform users were identified. **Technical Details** Attackers use short-form videos mimicking official branding to lure users into executing PowerShell commands or engaging with fake download sites. The primary malware is Vidar infostealer, delivered via scripts from lookalike domains such as msget[.]run and d4ug[.]site, which harvests credentials, banking data, and browser cookies. Campaigns exploit social media algorithms by encouraging saves and shares to increase reach. No CVEs or software vulnerabilities were reported as exploited. Indicators include domains msget[.]run and d4ug[.]site, and the payload file named build.exe. **Recommended Response** Audit and restrict software installation privileges, especially for users with elevated access. Update phishing and social engineering training to include threats from social media platforms, emphasizing caution with unsolicited commands and downloads. Encourage reporting of suspicious social media content to platform providers and internal security teams to facilitate takedown. Monitor for network connections to identified malicious domains and block them where possible.

Source articles (4)

  • Hackers Abuse TikTok and Instagram Reels to Spread Malware via Fake Free Software Tutorials — Cybersecuritynews · 2026-06-10
    Cybercriminals are now turning to short-form video platforms as a new attack surface, using fake software tutorials on TikTok and Instagram Reels to push malware onto unsuspecting users. The tactic is…
  • Fake Software Tutorials on TikTok Spread Vidar Stealer — Infosecurity-Magazine · 2026-06-10
    Threat actors have been using short-form videos on TikTok and Instagram Reels to push the Vidar infostealer , disguising the attacks as tutorials for unlocking premium software for free. New analysis…
  • Scammers use short videos on social media to spread Vidar infostealer — Scworld · 2026-06-10
    Per HackRead, scammers are exploiting the popularity of short video formats on platforms like TikTok and Instagram Reels to distribute the Vidar infostealer malware, a departure from traditional phish…
  • Fake Spotify Premium tutorials on TikTok and Instagram Reels spread malware — Feeds2.Feedburner · 2026-06-11
    Cybercriminals are using TikTok and Instagram Reels videos to spread Vidar, an infostealer malware, through fake downloads for popular paid software, according to ReversingLabs. The researchers uncove…

Timeline

  • 2026-06-10 — ReversingLabs reports on Vidar infostealer campaigns: Two campaigns on TikTok and Instagram Reels identified, using fake software tutorials to spread malware.
  • 2026-06-10 — Scammers exploit social media for malware distribution: Scammers create tutorial videos that lead users to download the Vidar infostealer, affecting many users.
  • 2026-06-10 — Hackers leverage TikTok and Instagram for malware: Polished videos promising free software access are used to funnel users to malicious downloads.
  • 2026-06-11 — Cybercriminals use fake downloads to spread malware: Researchers confirm that fake software tutorials on social media are spreading Vidar malware.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • d4ug.site (Domain)
  • Vidar (Malware)
  • Vidar Infostealer (Malware)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • Instagram (Platform)
  • Instagram Reels (Platform)
  • TikTok (Platform)
  • Windows (Platform)
  • Spotify (Company)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed