Hackers Use Fake TradingView Premium Posts on Reddit to Deliver Vidar and AMOS Stealers

Home Cyber Security News Hackers Use Fake TradingView Premium Posts on Reddit to Deliver Vidar and... A threat actor has been running an active campaign on Reddit, using fake posts that promise free TradingView Premium access to deliver two malware families — Vidar on Windows and AMOS on macOS. The operation is still live, with new posts surfacing as older ones get taken down. TradingView is one of the most widely used charting platforms among retail traders, crypto investors, and forex enthusiasts. Its Premium subscription unlocks advanced indicators and real-time market data at a price many users would rather skip. The threat actor exploits that gap by posting across multiple subreddits — some hijacked, others purpose-built — with step-by-step instructions that walk victims through the full infection chain without raising suspicion. Hexastrike analysts traced these infections back to Reddit while handling several recent stealer cases. They identified a single threat actor operating across at least five subreddits, using aged, purchased, or compromised accounts to appear credible. What stands out is not technical complexity but operational discipline — hosting domains get swapped the moment they are flagged, warning comments from real users are deleted within minutes, and the posts appear LLM-generated to keep a consistent tone. The subreddits tell a clear story. r/BitBullito and r/CryptoCurrencyDM had just two and 29 subscribers respectively, while the accounts posting in them were three to six years old — lending false legitimacy to the operation. One account, u/BroadDepartment573, carried a Four Year Club Reddit trophy but had only a single post across its entire history. Reddit profile of u – BroadDepartment573 showing the Four Year Club trophy alongside an otherwise empty activity history (Source – Hexastrike) Every post follows the same template, claiming the software was reverse engineered with all license checks removed. Post body claiming the software is reverse engineered with all license checks removed and premium access unlocked forever (Source – Hexastrike) Separate download links are offered for Windows, macOS, and macOS 15 — a level of platform targeting that shows the actor understands Apple’s Gatekeeper restrictions in macOS Sequoia. The Infection Mechanism Payloads are hosted on compromised legitimate business websites, lending added credibility to the download links. On Windows, the extracted executable is bloated to over 784 megabytes through null-byte padding in its PE resource section, deliberately sized to exceed antivirus scan limits. Entropy graph of the executable showing the resource section filled almost entirely with zero-byte padding (Source – Hexastrike) Beneath the padding sits a 44-kilobyte self-extracting cabinet that drops a batch script named Receipt.gif. Despite the image extension, it is a 235-line obfuscated script that reassembles a Vidar infostealer from split file fragments using character substitution to defeat signature-based detection. First lines of Receipt.gif showing the Set variable chain with random dictionary words inserted as obfuscation padding (Source – Hexastrike) The archive password — either “github” or “codeberg” — is posted directly in the Reddit thread, both names chosen to evoke legitimate developer platforms and lower suspicion. On macOS, the download is a disk image that mounts with a TradingView-branded background to mimic a real installer. Inside sits a compact 217-kilobyte Mach-O binary that decrypts an AMOS stealer at runtime through a polymorphic XOR loop. Once executed, AMOS harvests credentials and cookies from Chrome, Firefox, Safari, Brave, Edge, and Opera, copies wallet files from Exodus, Electrum, and MetaMask, and exfiltrates everything over HTTP within seconds. Mounted TradingView DMG showing the application icon over a branded background designed to appear like a legitimate installer (Source – Hexastrike) Organizations should add the identified distribution domains to web proxy and DNS blocklists, and hunt for patterns where Reddit browsing is followed quickly by a large ZIP download from an unrelated domain. On Windows, flag wextract.exe spawning cmd.exe with delayed variable expansion. On macOS, monitor for unsigned applications calling osascript or making unexpected dscl authonly credential validation attempts. Anyone with any doubt about exposure should treat it as a confirmed compromise — browser passwords, session cookies, and crypto wallet keys should all be considered stolen. Downloading cracked software remains one of the most reliable ways threat actors find victims today. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Researcher Released Windows Defender 0-Day Exploit Code, Allowing Attackers to Gain Full Access Cyber Security CISA Warns of Fortinet 0-Day Vulnerability Actively Exploited in Attacks Cyber Security News Trojanized PyPI AI Proxy Uses Stolen Claude Prompt to Exfiltrates Data Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026