A sophisticated threat actor is actively exploiting the desire for premium features on TradingView, a popular charting platform used by traders and investors. By posting deceptive advertisements on Reddit promising free TradingView Premium access, the attacker is successfully distributing malware families known as Vidar for Windows and AMOS for macOS. This ongoing campaign highlights a persistent tactic where social media platforms become fertile ground for malicious campaigns, targeting users seeking shortcuts to valuable services.
The operation, as detailed by Hexastrike analysts, involves meticulous planning and execution. The threat actor utilizes a network of at least five subreddits, employing aged, purchased, or compromised accounts to establish a veneer of credibility. This strategic approach aims to bypass scrutiny and encourage unsuspecting users to engage with the fraudulent offers. The campaign’s persistence is further evidenced by the attacker’s ability to rapidly adapt, such as by changing hosting domains as soon as they are flagged and swiftly removing any user warnings that appear.
TradingView’s premium subscription offers enhanced analytical tools and real-time data, a valuable asset for active traders that many are hesitant to pay for. This creates a vulnerability that the threat actor has expertly leveraged. The campaign specifically targets subreddits with low subscriber counts, such as r/BitBullito and r/CryptoCurrencyDM, which had only two and 29 subscribers respectively. Suspiciously, the accounts distributing these posts often possessed older Reddit trophies, like the “Four Year Club,” suggesting a history on the platform that lends them an undeserved air of trustworthiness.
The Deceptive Campaign Mechanism
The modus operandi involves creating posts that appear to be genuine offers for free TradingView Premium access. These posts meticulously guide victims through an entire infection chain, often presenting the software as reverse-engineered with all license checks removed. The attacker provides separate download links tailored for Windows, macOS, and even a specific version for macOS 15, demonstrating an understanding of the security measures like Apple’s Gatekeeper, particularly in newer macOS versions such as Sequoia.
The convenience and perceived value of obtaining premium software for free outweigh the caution for many users, leading them to the download links. The threat actor enhances this deception by hosting the malicious payloads on compromised legitimate business websites, making the download links appear more legitimate and less suspicious than typical malware distribution sites.
On Windows systems, the downloaded executable is a large file, exceeding 784 megabytes. This significant size is achieved through padding with null bytes in its PE resource section, a technique designed to bypass the scrutiny of many antivirus scanners. Beneath this padding, a self-extracting cabinet file is embedded. This cabinet drops a batch script named “Receipt.gif.” Despite its image file extension, this script is an obfuscated batch file containing over 235 lines of code. It reconstructs the Vidar infostealer from fragmented files, using character substitution to evade signature-based detection methods by security software.
Archive passwords, such as “github” or “codeberg,” are also openly shared within the Reddit thread. These passwords are strategically chosen to evoke legitimate developer platforms, further reducing user suspicion. The choice of these passwords is a subtle, yet effective, psychological tactic.
For macOS users, the infection vector is a disk image (DMG) file. When mounted, this DMG features a TradingView-branded background, designed to mimic a legitimate installer. Inside the DMG lies a compact Mach-O binary, approximately 217 kilobytes. This binary decrypts the AMOS stealer malware at runtime, employing a polymorphic XOR loop to further complicate detection efforts. Once active, AMOS is designed to pilfer sensitive information. It targets credentials and session cookies from popular web browsers including Chrome, Firefox, Safari, Brave, Edge, and Opera. Additionally, it seeks out cryptocurrency wallet files from applications like Exodus, Electrum, and MetaMask. The stolen data is then rapidly exfiltrated over HTTP connections, often within seconds of execution.
Implications and Mitigation Strategies
The successful deployment of Vidar and AMOS stealer malware through this campaign poses a significant risk to users’ financial and personal data. The ability of these stealers to extract cryptocurrency wallet information makes them particularly dangerous in the current digital landscape. Organizations are advised to implement robust security measures to counter this evolving threat. This includes adding the identified distribution domains to web proxy and DNS blocklists to prevent access. Furthermore, network administrators should hunt for specific activity patterns, such as Reddit browsing sessions followed by large ZIP file downloads from unrelated domains.
For Windows environments, security teams should monitor for suspicious process chains, specifically the execution of wextract.exe spawning cmd.exe with delayed variable expansion enabled. On macOS, vigilance is required for unsigned applications that initiate calls to osascript or engage in unexpected dscl authonly credential validation attempts. These indicators can signal an active infection by the AMOS stealer.
Given the nature of these stealer malware families, any user who suspects they may have interacted with or downloaded the fake TradingView premium software should assume their data has been compromised. This includes browser passwords, active session cookies, and any stored cryptocurrency wallet keys. The act of downloading cracked or pirated software remains a primary and highly effective method for threat actors to infiltrate user systems and acquire victims.
The ongoing nature of this campaign suggests that the threat actor will continue to adapt their methods. Users must remain vigilant against offers that seem too good to be true, especially on public forums. The cybersecurity community will likely see similar social engineering tactics employed across various platforms, targeting users’ desire for free or discounted software and services. The continuous evolution of obfuscation techniques and deployment methods underscores the need for advanced threat detection and rapid response capabilities.