Trend™ Research uncovered a campaign on TikTok that uses videos to lure victims into downloading information stealers, a tactic that can be automated using AI tools.

• Trend Research uncovered a new social engineering campaign using TikTok to deliver the Vidar and StealC information stealers. This attack uses videos (possibly AI-generated) to instruct users to execute PowerShell commands, which are disguised as software activation steps.
• TikTok’s algorithmic reach increases the likelihood of widespread exposure, with one video reaching more than half a million views. Businesses can be affected by data exfiltration, credential theft, and potential compromise of sensitive systems as a result of this threat.
• Reinforcing security awareness, especially against AI-generated content, is crucial. Monitoring for unusual command execution involving PowerShell or other system utilities also helps identify malicious activity early.
• Trend Vision One™ detects and blocks the IOCs discussed in this blog. rend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on this campaign
  Trend Research has uncovered a novel social engineering campaign using TikTok’s vast user base to distribute information-stealing malware, specifically Vidar and StealC. Unlike the prevalent Fake CAPTCHA campaign — which relies on fake CAPTCHA pages and clipboard hijacking to trick users into running malicious scripts — this new campaign pivots to exploiting the popularity and viral nature of TikTok.

Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features. This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware.
This report details the observed tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and the potential impact of this trend.

StealC V2 enhances information stealing, introduces RC4 encryption, and provides a new control panel for more targeted payloads.
StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials.

This blog post focuses on the recent changes in StealC V2, describing the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol.

Key Takeaways

• StealC V2, introduced in March 2025, utilizes a JSON-based network protocol with RC4 encryption implemented in recent variants.
• StealC V2 now supports loader options that can deliver Microsoft Software Installer (MSI) packages, and PowerShell scripts.
• The redesigned control panel includes an embedded builder that allows operators to customize payload rules and bot responses based on geolocation, HWID, and installed software.
• StealC V2 includes multi-monitor screenshot capture and a unified file grabber that targets crypto wallets, gaming applications, instant messengers, email clients, VPNs, and browsers. In addition, StealC V2 supports server-side brute-forcing capabilities for credential harvesting.
• ThreatLabz has observed StealC V2 being deployed via Amadey, and conversely, it being used to distribute StealC V2.

A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named
#Atomic #Computer #Info #InfoSec #Information #Information-stealing #Marko #Polo #Rhadamanthys #Security #Stealc #Stealer #malware