Security researchers have discovered hackers using AI-generated videos on TikTok to trick victims into installing Vidar and StealC malware. The pages behind these videos pretend to provide tips and tricks to enhance experiences or activate software like Windows, Capcut, Office, and more, instructing users to run PowerShell commands that download and install malware.
One TikTok video, with over 500,000 views, 20,000 likes, and 100 comments, instructed users to execute a PowerShell command that downloaded and executed a malicious script to boost their Spotify experience. Once executed, the script downloads the aforementioned malware, adds Windows Defender exclusions, changes the Windows Registry to ensure persistence, and deletes any traces of its activity.
Researchers at Trend Micro also report that they found such videos posted from multiple TikTok accounts, which have since been deactivated. The accounts posted nearly identical videos, suggesting the content creation pipeline was automated using AI for visuals and voice. So far, the accounts observed by researchers include:
- @gitallowed
- @zane.houghton
- @allaivo2
- @sysglow.wow
- @alexfixpc
- @digitaldreams771
Vidar and StealC then connect to their respective command and control (C2) servers post-infection and start stealing information. These tools are also great at evading traditional security tools, with Vidar in particular using legitimate services like Steam and Telegram to act as Dead Drop Resolvers (DDR) to hide their C2 server information.
If you’ve run any commands shown by the aforementioned accounts, or via any social media platform, without fully understanding what the command was doing, you can be at risk of a malware infection. It’s recommended you check your Windows Defender exclusions for suspicious entries and remove them. Running a full scan should point out any malware, but the only way to be fully reassured is to do a factory reset.
In the News: Europol takes down 100s of servers as part of ransomware hunt
