Contact us
Contact us

News

About

Home Crypto News TikTok, Instagram Reels push PowerShell Vidar infostealer

TikTok, Instagram Reels push PowerShell Vidar infostealer

Author Whitewallet Research
Posted: 10 June 2026, 17:05 CET 2 min read

ReversingLabs found short TikTok and Instagram Reels videos that promise free Spotify, Office or Windows and instruct users to run PowerShell commands or download files that install Vidar.

ReversingLabs researchers identified two active campaigns on TikTok and Instagram Reels that use short tutorial-style videos to trick users into installing Vidar, an infostealer. The videos promise free Spotify Premium, Microsoft Office or Windows activation and direct viewers to run PowerShell commands or to download installers from linked sites.

The accounts use names such as “windows.tips” and “windows.insights” and mimic Windows-style branding. Videos are tagged with Windows and Office keywords so they appear alongside legitimate troubleshooting content. Viewers are told to open PowerShell, paste a command and press Enter; the command downloads and executes malware. In other cases the videos point to malicious download pages hosting infected installers.

The malware has been identified as Vidar. Researchers observed the malware collect saved browser passwords, autofill data, browser cookies, cryptocurrency wallet files, two-factor authentication data and Tor browser files. Some of the attack scripts add exclusions to Windows Defender, reducing the chance that later activity is detected.

The campaigns use platform discovery features and short-form tutorial formats to reach users. Attackers include countdown timers, fake user counters and professional-looking branding to encourage quick action and trust. Because PowerShell is a legitimate Windows administration tool, prompting users to run commands can bypass some defenses that focus on email-based attacks.

Researchers recommend downloading software only from official vendor sites, avoiding unverified or cracked versions, and not copying commands from webpages or videos into a PowerShell window. Users should verify a file’s publisher and digital signature before running it and keep endpoint protection current. Platform operators and security teams are removing fraudulent accounts and monitoring short-form video content, and consumers are advised to confirm technical instructions through official support channels before taking action.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
2 days ago
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
2 days ago
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Wintermute: No crypto bottom as stablecoins, ETF flows drain

Wintermute: No crypto bottom as stablecoins, ETF flows drain

14 hours ago 2 min read
OpenAI to reshape ChatGPT into agents-and-coding superapp

OpenAI to reshape ChatGPT into agents-and-coding superapp

15 hours ago 2 min read
Anthropic’s Claude Fable 5 exposes DeFi smart-contract risks

Anthropic’s Claude Fable 5 exposes DeFi smart-contract risks

16 hours ago 2 min read
Draper: Quantum will break banks before Bitcoin

Draper: Quantum will break banks before Bitcoin

16 hours ago 2 min read
MORE