TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead

    Monday, May 26, 2025 In: Threat Research Print

    Date: 05/26/2025

    Severity: High 

    Summary

    A new social engineering campaign leverages TikTok to spread Vidar and StealC stealers via videos instructing users to run disguised PowerShell commands. Some clips, possibly AI-generated, have reached over 500,000 views, increasing the threat’s exposure. This can lead to credential theft and system compromise for businesses. Trend Vision One™ detects the IOCs and offers hunting queries and insights to help mitigate the threat. 

    Indicators of Compromise (IOC) List

    Domains\URLs :

    http://91.92.46.70/1032c730725d1721.php

    https://allaivo.me/spotify

    https://amssh.co/file.exe

    https://amssh.co/script.ps1

    https://steamcommunity.com/profiles/76561199846773220

    https://t.me/v00rd

    https://49.12.113.201

    https://116.202.6.216

    Hash :

    3bb81c977bb34fadb3bdeac7e61193dd009725783fb2cf453e15ced70fc39e9b

    afc72f0d8f24657d0090566ebda910a3be89d4bdd68b029a99a19d146d63adc5

    b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    DOmains\Urls:

    domainname like "https://allaivo.me/spotify" or url like "https://allaivo.me/spotify" or siteurl like "https://allaivo.me/spotify" or domainname like "https://t.me/v00rd" or url like "https://t.me/v00rd" or siteurl like "https://t.me/v00rd" or domainname like "https://49.12.113.201" or url like "https://49.12.113.201" or siteurl like "https://49.12.113.201" or domainname like "http://91.92.46.70/1032c730725d1721.php" or url like "http://91.92.46.70/1032c730725d1721.php" or siteurl like "http://91.92.46.70/1032c730725d1721.php" or domainname like "https://116.202.6.216" or url like "https://116.202.6.216" or siteurl like "https://116.202.6.216" or domainname like "https://steamcommunity.com/profiles/76561199846773220" or url like "https://steamcommunity.com/profiles/76561199846773220" or siteurl like "https://steamcommunity.com/profiles/76561199846773220" or domainname like "https://amssh.co/file.exe" or url like "https://amssh.co/file.exe" or siteurl like "https://amssh.co/file.exe" or domainname like "https://amssh.co/script.ps1" or url like "https://amssh.co/script.ps1" or siteurl like "https://amssh.co/script.ps1"

    Hash : 

    sha256hash IN ("b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886","3bb81c977bb34fadb3bdeac7e61193dd009725783fb2cf453e15ced70fc39e9b","afc72f0d8f24657d0090566ebda910a3be89d4bdd68b029a99a19d146d63adc5")

    Reference:   

    https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html


    Tags

    MalwareVidarInfostealerCredentialTheftSocial EngineeringTikTokSTEALC

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.