EXECUTIVE SUMMARY:
A phishing campaign has been identified that abuses popular social media platforms, particularly TikTok and Instagram, to distribute the Vidar Stealer malware through deceptive tutorials and promotional videos. The activity relies heavily on social engineering techniques, where threat actors create convincing instructional content that encourages users to execute commands, install software, or follow seemingly legitimate setup procedures. By leveraging the trust users place in online tutorials and influencer-style content, attackers increase the likelihood of successful compromise while avoiding traditional security controls.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A phishing campaign has been identified that abuses popular social media platforms, particularly TikTok and Instagram, to distribute the Vidar Stealer malware through deceptive tutorials and promotional videos. The activity relies heavily on social engineering techniques, where threat actors create convincing instructional content that encourages users to execute commands, install software, or follow seemingly legitimate setup procedures. By leveraging the trust users place in online tutorials and influencer-style content, attackers increase the likelihood of successful compromise while avoiding traditional security controls.[emaillocker id="1283"]
The attack chain begins with videos hosted on social media platforms that present fake software installation guides, productivity tips, cryptocurrency-related tools, or system configuration instructions. Victims are directed to external websites, repositories, or download locations where malicious payloads are disguised as legitimate applications or setup files. In some cases, users are instructed to copy and execute commands directly on their systems, enabling malware deployment without exploiting software vulnerabilities. The campaign demonstrates a shift toward user-driven compromise, where attackers rely on persuasion and misleading visual content rather than technical exploits. Once executed, the malicious payloads can facilitate credential theft, system compromise, data collection, and additional malicious activity on affected devices.
It highlights the evolving nature of phishing attacks, where social media content is increasingly used to manipulate users into performing actions that compromise their security. Organizations and individuals should treat online tutorials, software installation guides, and troubleshooting videos with caution, particularly when they require command execution, security setting modifications, or downloads from unverified sources. Strengthening user awareness, validating software sources, and monitoring for suspicious system activity remain essential measures for reducing exposure to social mediadriven phishing threats and malware infections.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Reconnaissance | T1593.001 | Search Open Websites/Domains | Social Media |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| T1584.001 | Compromise Infrastructure | Domains | |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| T1189 | Drive-by Compromise | - | |
| Execution | T1204.001 | User Execution | Malicious Link |
| T1204.002 | Malicious File | ||
| Stealth | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1555.005 | Password Managers | ||
| Collection | T1005 | Data from Local System | - |
| T1213.001 | Data from Information Repositories | Confluence | |
| T1119 | Automated Collection | - | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-abuse-tiktok-and-instagram-reels-to-spread-malware/
https://www.reversinglabs.com/blog/social-media-attacks-phishing