Listen to this Post
Introduction: A Costly Shortcut That Ends in Data Theft
In the fast-moving world of trading and cryptocurrency, access to premium tools can feel essential. Platforms like TradingView offer advanced features that many retail investors rely on daily. But as subscription costs rise, some users are tempted by “free” alternatives shared online. That temptation is now being weaponized. Cybersecurity researchers have uncovered a highly organized malware campaign on Reddit that disguises dangerous software as cracked versions of TradingView Premium, putting both Windows and macOS users at serious risk.
Summary: How the Malware Campaign Operates
Cybersecurity experts have identified an active and coordinated attack campaign spreading across Reddit, where threat actors are distributing malware disguised as free versions of TradingView Premium. The operation targets users seeking to bypass subscription fees, particularly retail traders and cryptocurrency investors. Victims who download these fake versions unknowingly install powerful information-stealing malware, specifically Vidar for Windows systems and AMOS for macOS devices.
The attackers rely on convincing social engineering tactics. Their Reddit posts follow a structured format, offering a “fully unlocked” version of TradingView and including fake user testimonials. Researchers observed that the text appears to be generated using artificial intelligence, with patterns and formatting typical of large language models. This adds a layer of polish and credibility that makes the scam more convincing.
To further increase trust, the attackers provide separate download links tailored to different operating systems, including a specific version compatible with the latest macOS updates. This technical detail makes the offering appear legitimate and up to date. However, when users click the links, they are redirected to compromised but otherwise legitimate business websites. The malicious files are stored within hidden subdirectories, allowing them to bypass basic security systems that rely on domain reputation checks.
Once downloaded, the infection process differs depending on the operating system. On Windows, the malware arrives as a massive executable file, nearly 800 MB in size. This unusually large file is intentionally padded with meaningless data to evade antivirus scanning limits. When executed, it runs an obfuscated script that reconstructs and deploys the Vidar infostealer in the background.
On macOS, the attack uses a fake installer packaged as a disk image. When opened, it silently executes an encrypted script that installs the AMOS stealer. This malware aggressively collects sensitive information, including browser credentials, session cookies, and cryptocurrency wallet data. In some cases, it can even deploy a fake hardware wallet application designed to trick users into revealing additional funds.
Security researchers warn that this campaign is part of a broader trend of increasingly sophisticated information-stealing malware, alongside threats like Raven Stealer and DarkCloud. To defend against such attacks, organizations are encouraged to implement strict controls, such as blocking password-protected archives and monitoring endpoint behavior for anomalies. However, the most critical defense remains user awareness. Downloading pirated software from unverified sources continues to be one of the most common entry points for devastating cyberattacks.
What Undercode Say: The Real Danger Behind “Free” Software
The most striking aspect of this campaign is not the malware itself, but the precision of its delivery. Attackers are no longer relying on crude phishing emails or suspicious links. Instead, they are embedding themselves within trusted communities like Reddit, where users actively exchange tools, tips, and resources. This shift represents a deeper psychological attack rather than just a technical one.
By targeting users already motivated to find free alternatives, the attackers exploit a pre-existing vulnerability: the willingness to take risks for financial gain. This is especially true in the trading and crypto space, where margins matter and expensive tools can feel like barriers to success. The attackers understand this mindset and design their campaigns accordingly.
Another critical layer is the use of AI-generated content. The fake reviews and structured promotional posts are not random. They are crafted to mimic genuine user experiences, making it increasingly difficult for even cautious users to distinguish between real and malicious content. As AI tools become more advanced, this kind of deception will only grow more convincing.
The technical execution also reflects a high level of sophistication. Hosting malware on legitimate but compromised websites allows attackers to bypass traditional security filters. Many security systems still rely heavily on domain reputation, assuming that well-known or previously trusted domains are safe. This campaign proves that such assumptions are no longer reliable.
The use of oversized executables on Windows is another clever tactic. By inflating file sizes beyond typical scanning thresholds, attackers exploit limitations in antivirus engines. It is a reminder that security tools often have practical constraints, and attackers are constantly probing for those weaknesses.
On macOS, the attack highlights a growing trend. For years, macOS users have felt relatively secure compared to Windows users. However, malware like AMOS demonstrates that attackers are increasingly investing in macOS-specific threats, particularly because many high-value targets, such as developers and crypto investors, use Apple devices.
The inclusion of fake hardware wallet applications is particularly alarming. This moves beyond simple credential theft into direct financial exploitation. By tricking users into interacting with fraudulent wallet interfaces, attackers can bypass even cautious security practices.
Ultimately, this campaign underscores a fundamental truth in cybersecurity: human behavior remains the weakest link. No matter how advanced security tools become, they cannot fully protect users who willingly install unverified software. Education and awareness are not optional defenses. They are essential.
Organizations must rethink their approach to user training. Instead of generic warnings, they need real-world examples like this campaign to demonstrate the consequences of risky behavior. When users understand how these attacks actually work, they are more likely to recognize and avoid them.
Fact Checker Results
✅ The campaign uses real infostealers (Vidar and AMOS) targeting different operating systems.
✅ Attackers leverage compromised legitimate websites to evade detection systems.
❌ No confirmed official connection between TradingView and the malware distribution.
Prediction
The use of AI-generated scam content will rapidly increase, making social platforms even harder to trust. ⚠️
macOS-targeted malware will continue to grow as attackers follow high-value users in crypto and trading spaces. 💻
Future campaigns will likely combine malware with real-time phishing interfaces to steal funds instantly. 💰
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
