Vidar

Hackers are now turning popular social media platforms into malware delivery channels, using the promise of free software to trap unsuspecting users... attackers posting polished tutorial videos that promise free Spotify Premium, free Windows activation, or free Microsoft Office.

Other examples included malvertising campaigns that use AI-themed terms such as 'Awesome AI Windows Plugin' and 'Flux Pro AI' in social engineering lures, and fake DeepSeek V4 installers on GitHub that delivered Vidar Stealer.

Microsoft Threat Intelligence said it's observed an uptick in phishing, malvertising, and search engine optimization (SEO)-driven attacks that ultimately lead to credential theft, financial fraud, or malware infection.

Users were then directed to tutorial videos, direct messages or links in account profiles that led to websites advertising free software, games and AI tools.

This new attack method... involves creating seemingly helpful tutorial videos that promise free access to premium applications such as Spotify Premium or Microsoft Word.

The second built audiences through a stream of videos promoting free access to premium software before directing viewers to a central tutorial containing download instructions.

Viewers are walked through step-by-step instructions that include opening PowerShell, a legitimate Windows administrative tool, and pasting in a set of commands. Those commands then silently download and execute the Vidar infostealer in the background, with the user none the wiser.

Once the user clicks “Continue”, the executable drops and runs a malicious Python-based downloader. Both the Python interpreter and the downloader script are saved in the \AppData\Local\ folder as pythonw.exe and LICENSE.txt, respectively.

Researchers at ReversingLabs uncovered two active campaigns using these short videos to trick users into running dangerous PowerShell commands or visiting malicious download sites.

Scammers instruct users to execute commands in their operating system's terminal, which secretly downloads and runs malicious payloads.

The first campaign relied on a network of accounts masquerading as technology support pages. Researchers observed profiles using names such as “ windows.tips ” and “ windows.insights ,” along with blue-and-white profile images that resembled Microsoft’s branding.

Once the loader runs, it decodes its payload entirely within the computer’s memory, meaning the final malicious program never gets written to the hard drive.

The download was a fraudulently code-signed executable tied to Fox Tempest, a group running a malware-signing service used by multiple criminal actors.

Browser cookies can be used to hijack active sessions without needing a password.

Once it lands on a machine, Vidar goes to work collecting saved browser passwords, autofill data, browser cookies, cryptocurrency wallet details, two-factor authentication data, and even TOR browser data.

Стилер вытаскивает сохранённые пароли из браузеров (T1555.003, Credentials from Web Browsers).

The malware executable was signed with a fraudulently obtained Microsoft-issued code-signing certificate obtained through Artifact Signing... Microsoft attributes the signing service used by the threat actor to Fox Tempest.

Domain brokeapt[.]com Attacker-controlled C2 domain for Python loader Domain pan.ssffaa19[.]xyz Vidar C2 domain Domain pan.rongtv[.]xyz Vidar C2 domain

OnionDrop is a sophisticated multi-stage malware loader designed to deliver InfoStealers such as LegionLoader (CurlyGate), CGrabber, and Vidar Stealer at scale.

Everything harvested is then sent back to servers controlled by the attackers, giving them a detailed key to the victim’s entire digital life.

Research into similar TikTok-based attack chains shows that the malicious scripts commonly add exclusions to Windows Defender, effectively blinding the built-in security tool to future threats.