A threat actor has been running an active campaign on Reddit, using fake posts that promise free TradingView Premium access to deliver two malware families \u2014 Vidar on Windows and AMOS on macOS. The operation is still live, with new posts surfacing as older ones get taken down.<\/a><\/p>\n TradingView is one of the most widely used charting platforms among retail traders, crypto investors, and forex enthusiasts. Its Premium subscription unlocks advanced indicators and real-time market data at a price many users would rather skip. <\/p>\n The threat actor exploits that gap by posting across multiple subreddits \u2014 some hijacked, others purpose-built \u2014 with step-by-step instructions that walk victims through the full infection chain without raising suspicion.<\/a><\/p>\n Hexastrike analysts traced these infections<\/a> back to Reddit while handling several recent stealer cases. <\/p>\n They identified a single threat actor operating across at least five subreddits, using aged, purchased, or compromised accounts to appear credible. <\/p>\n What stands out is not technical complexity but operational discipline \u2014 hosting domains get swapped the moment they are flagged, warning comments from real users are deleted within minutes, and the posts appear LLM-generated to keep a consistent tone.<\/a><\/p>\n The subreddits tell a clear story. r\/BitBullito and r\/CryptoCurrencyDM had just two and 29 subscribers respectively, while the accounts posting in them were three to six years old \u2014 lending false legitimacy to the operation. <\/p>\n One account, u\/BroadDepartment573, carried a Four Year Club Reddit trophy but had only a single post across its entire history.<\/p>\n Every post follows the same template, claiming the software was reverse engineered with all license checks removed. <\/p>\n Separate download links are offered for Windows, macOS, and macOS 15 \u2014 a level of platform targeting that shows the actor understands Apple\u2019s Gatekeeper restrictions<\/a> in macOS Sequoia. <\/p>\n Payloads are hosted on compromised legitimate business websites, lending added credibility to the download links. <\/p>\n On Windows, the extracted executable is bloated to over 784 megabytes through null-byte padding in its PE resource section, deliberately sized to exceed antivirus scan limits. <\/p>\n Beneath the padding sits a 44-kilobyte self-extracting cabinet that drops a batch script named Receipt.gif. <\/p>\n Despite the image extension, it is a 235-line obfuscated script that reassembles a Vidar infostealer<\/a> from split file fragments using character substitution to defeat signature-based detection. <\/p>\n The archive password \u2014 either \u201cgithub\u201d or \u201ccodeberg\u201d \u2014 is posted directly in the Reddit thread, both names chosen to evoke legitimate developer platforms and lower suspicion.<\/a><\/p>\n On macOS, the download is a disk image that mounts with a TradingView-branded background to mimic a real installer. Inside sits a compact 217-kilobyte Mach-O binary that decrypts an AMOS stealer<\/a> at runtime through a polymorphic XOR loop. <\/p>\n Once executed, AMOS harvests credentials and cookies from Chrome, Firefox, Safari, Brave, Edge, and Opera, copies wallet files from Exodus, Electrum, and MetaMask, and exfiltrates everything over HTTP within seconds. <\/p>\n Organizations should add the identified distribution domains to web proxy and DNS blocklists, and hunt for patterns where Reddit browsing is followed quickly by a large ZIP download from an unrelated domain. <\/p>\n On Windows, flag wextract.exe spawning cmd.exe with delayed variable expansion. On macOS, monitor for unsigned applications calling osascript or making unexpected dscl authonly credential validation attempts. <\/p>\n Anyone with any doubt about exposure should treat it as a confirmed compromise \u2014 browser passwords, session cookies, and crypto wallet<\/a> keys should all be considered stolen. Downloading cracked software remains one of the most reliable ways threat actors find victims today.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Use Fake TradingView Premium Posts on Reddit to Deliver Vidar and AMOS Stealers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Reddit](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPXXzp2roAKjDeuKKPGj_G41wCA0Hxk97M_ZefSClREdfHfeKNyEkx4ISwwtZrjYS2srbcGuZjVWfzrLzrG7Silix_fd7af8dzBg8Y8_vY2ai0fqyuGAZuBZZ_X8H3hBuJO_r1Wl9zqVT5E88IM_Niiq1MgqclBBhnl-s8wyKO0coEbxFJYeBnvDawq7o\/s16000\/Reddit%2520profile%2520of%2520u%2520-%2520BroadDepartment573%2520showing%2520the%2520Four%2520Year%2520Club%2520trophy%2520alongside%2520an%2520otherwise%2520empty%2520activity%2520history%2520%28Source%2520-%2520Hexastrike%29.webp?ssl=1\")
![\"Post](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiergdET119oL6Ds_hzj4Td6FB37j4l_n57muIWrJHkRFcXpLnizqWrVsQyvpwF69Rp8WQilExk5O6e1F1OHio30w2jQOqZ5ZH4CVCYy6aSMT4q4M4dvOpqw1lltAoFpxFP55CS-dbkqM1nwTMwJqDWd3HYdYNVQEeybWOurd7jZq8Fb7SnBpNSeaygzMU\/s16000\/Post%2520body%2520claiming%2520the%2520software%2520is%2520reverse%2520engineered%2520with%2520all%2520license%2520checks%2520removed%2520and%2520premium%2520access%2520unlocked%2520forever%2520%28Source%2520-%2520Hexastrike%29.webp?ssl=1\")
The Infection Mechanism<\/strong><\/h2>\n
![\"Entropy](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgLEwuw9qVtIt3G0P8d4qfXbAYaOBH_ROaATWmKe4N1WaL1hv1LE1Rl7XDxkr0fggHMGH4j-WgLF0IFOKrB0goeaBKuWdS2XUKiR2ZIdmZOkoX1tGuxYkg5v4LMVYMtE5Jwndc6wnHptDPbgGF4eYOVX1cV9qvjEthYDfdMSOutzxPrChtAFsOmNev6W7g\/s16000\/Entropy%2520graph%2520of%2520the%2520executable%2520showing%2520the%2520resource%2520section%2520filled%2520almost%2520entirely%2520with%2520zero-byte%2520padding%2520%28Source%2520-%2520Hexastrike%29.webp?ssl=1\")
![\"First](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiuLNlZKDIiWF5vkhKu1qBVZTUFov2zOHHt_3sEBnm7BGVRTU4fJzND7_p0ZW7TebKOQMj2Tk-IKLyD0rBxNOTHA2P-GiocZbUTSO5pv0ZHkTfNzAYXtjwFowkHECKyWWqjJB9t2gfXWcwbJIOYcr3FQGHfujFjRT7jaWRilbPLbMcko8dQHEAZAynLGiw\/s16000\/First%2520lines%2520of%2520Receipt.gif%2520showing%2520the%2520Set%2520variable%2520chain%2520with%2520random%2520dictionary%2520words%2520inserted%2520as%2520obfuscation%2520padding%2520%28Source%2520-%2520Hexastrike%29.webp?ssl=1\")
![\"Mounted](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjn2EBmWA5XRX5GcDMqj4Tr22fjSTI8HXXYgNEgBozu6JKY1vaM1R3kMk4pKKyrB-QFK18lG98GIryWew1XBbzgUkJMIPLgdT3FXzaunTE4Ja7qoQd3YGNip5n1M2yPgbXGaHY80vhb1CFVY1-DhvGuKRcwFypBAZCCUlIN7AxIsqpFlCbIBAQyQhg81Hc\/s16000\/Mounted%2520TradingView%2520DMG%2520showing%2520the%2520application%2520icon%2520over%2520a%2520branded%2520background%2520designed%2520to%2520appear%2520like%2520a%2520legitimate%2520installer%2520%28Source%2520-%2520Hexastrike%29.webp?ssl=1\")