While handling recent stealer infections, we traced the initial compromise back to Reddit. A threat actor had been operating across several subreddits, some hijacked from legitimate communities and others purpose-built, using a mix of compromised and freshly created Reddit accounts to push malicious software disguised as cracked TradingView Premium builds. Based on overlapping language patterns, shared infrastructure and nearly identical post templates, we assess with high confidence that a single threat actor is behind this campaign. The infection chain itself is not new. Vidar and AMOS distribution through social media platforms and GitHub repositories has been well documented by the security community throughout 2025, and the TradingView lure specifically has been flagged by multiple researchers. What is noteworthy here is the operational scale and persistence on Reddit, and the continued evolution of the delivery infrastructure to stay ahead of takedowns.
The lure is straightforward. TradingView is a browser-based charting platform and social network widely used by traders and investors. It offers real-time financial market analysis for stocks, crypto and forex through advanced charts, more than a hundred built-in indicators and collaborative trading idea sharing. A Premium subscription unlocks the most powerful features and comes at a price that many retail traders would rather avoid, which makes it a compelling target for social engineering.
What makes this campaign particularly effective is the effort put into appearing legitimate. The threat actor actively comments on their own posts with different accounts, creating the illusion of a busy and helpful community. More concerning, any comments from real users pointing out that the downloads are malware get deleted within minutes. The operation is hands-on and closely monitored.
The actual payloads are hosted on hijacked legitimate company websites and delivered as password-protected ZIP archives. On Windows, the download contains an executable bloated to over 780 megabytes through null-byte padding, designed to exceed the file size limits of most antivirus scanners. Inside, a self-extracting cabinet drops an obfuscated batch script that reassembles a Vidar infostealer from fragmented data blobs. On macOS, a compact native binary decrypts and executes an AMOS stealer payload that harvests browser credentials, cryptocurrency wallets and Keychain data from six major browsers. Both variants exfiltrate stolen data to attacker-controlled infrastructure within seconds of execution. The password-protected archive delivery prevents automated unpacking at network boundaries and in cloud sandboxes.
This campaign is still active at the time of writing. Older payload delivery URLs get replaced as soon as they are flagged, and new subreddits continue to appear. Similar activity targeting TradingView users on Reddit has been observed by other researchers in the community since early 2025, suggesting this operation has been running and evolving for over a year.
The Lure
The campaign specifically targets users searching for free or cracked versions of TradingView Premium. To reach them, the threat actor posts in hijacked, unrelated subreddits using Reddit accounts that show either no prior activity or only very old, unrelated posts from years ago. The accounts themselves appear to be either purchased or compromised, lending them a veneer of age and legitimacy that freshly created throwaway accounts would lack.
For readers less familiar with the platform, Reddit is a social news and discussion site organized into topic-specific communities called subreddits. Anyone can create a subreddit and moderate it, and users build reputation over time through posting and commenting activity, earning karma and achievement trophies that signal how long an account has been active.
| Subreddit | Sub Created | Subscribers | User | Account Created | Post |
|---|---|---|---|---|---|
r/BitBullito | 2025-10-05 | 2 | u/roacerulupeste | 2019-11-17 | Free TradingView Premium Unlocked Edition |
r/CryptoCurrencyDM | 2026-02-20 | 29 | u/abdohisoka | 2021-08-03 | TradingView Premium Free v3.12.0.743 |
r/ForexWinchester | 2025-02-22 | 1,195 | u/dtrendz | 2018-08-29 | Free TradingView Premium New Update |
r/FXPulse | 2025-10-15 | 1,685 | u/Comfortable-Fee5884 | 2020-12-31 | TradingView Free v2.13.0.7353 |
r/GitHub_Source | 2026-03-25 | 388 | u/Broad_Department_573 | 2021-07-06 | TradingView Premium Lifetime Edition v2.9.6 |
The subreddit creation dates tell a clear story. For example, r/BitBullito was created in October 2025 and has exactly two subscribers. r/CryptoCurrencyDM was spun up in February 2026 with 29. r/GitHub_Source was created just days before the post appeared, on March 25, 2026. Meanwhile, the accounts posting in them are all three to six years old. This is the classic pattern of old hijacked or purchased accounts being deployed into freshly created subreddits to give the operation a sense of history and legitimacy it does not actually have.
Take u/Broad_Department_573 as an example. The account has been active for at least four years and carries the “Four Year Club” Reddit trophy, yet its entire posting history consists of a single promotional post in r/GitHub_Source. There is no organic activity, no comments in other communities, nothing that would suggest a real person behind the account.
The posts themselves follow a consistent template, promising a fully unlocked and “reverse engineered” version of TradingView that has been “tested on Apple Silicon” and removes all license checks. Titles follow patterns like “TradingView Premium Free” or “TradingView Premium Lifetime Edition” paired with specific version numbers to appear current and credible. The claims are that these programs have been cracked directly from their official builds, unlocking all premium features at no cost. In reality, the downloads contain two distinct malware families targeting Windows and macOS respectively
One thing that stood out immediately was the consistent mention of separate download links for three different platforms across every single subreddit post. There is always a Windows version, a macOS version and a dedicated macOS 15 version. This level of platform-specific targeting is unusual for typical piracy posts and suggests the threat actor is aware that macOS Sequoia introduced additional Gatekeeper restrictions that would otherwise prevent execution of downloaded applications not signed by identified developers. Offering a version specifically labeled for macOS 15 and above adds credibility with technically aware users and ensures the malware actually runs on the latest Apple operating systems.
Another consistent element across every post is the installation instructions. They are remarkably detailed and all incorporate the mention of a password-protected archive. During our analysis, we identified two password variants being used. Some posts instruct users to enter github as the archive password while others use codeberg, both names deliberately chosen to evoke legitimate developer platforms and lower suspicion. The choice of github as a password is particularly notable given that GitHub has already been heavily abused as a distribution vector for both Vidar and AMOS in documented campaigns throughout 2025.
The instructions go even further. Each post includes thorough descriptions of which decompression software to use for extracting the downloaded archives. For Windows users, 7-Zip and WinRAR are recommended. For macOS, The Unarchiver is suggested. PeaZip is mentioned as working on both operating systems. The threat actor clearly wants to make absolutely sure that every person who downloads the file can actually open it and run the payload, removing any friction from the infection chain.
Additional patterns emerged when comparing the five identified subreddits side by side. The comments sections showed striking similarities, with near-identical phrasing appearing across supposedly different users. There was also noticeable user overlap between posts. We believe the threat actor is commenting on their own posts with alternate accounts to create the appearance of an active, satisfied user base. Beyond that, every subreddit had a trail of deleted comments. Anything that called out the downloads as malware vanished within minutes, confirming that the operator is actively monitoring and moderating these posts in near real time.
It is also very likely that almost all of the post text and comments are generated by a large language model, especially given the reuse of identical phrasing and infrastructure across campaigns. While not definitive on its own, the writing shows consistent telltale signs. There is a heavy overuse of bullet points and emoji icons throughout the posts. More subtle but equally revealing is the consistent use of em dashes instead of parentheses, and the placement of commas and periods inside quotation marks rather than after them, a formatting choice that American English LLMs default to but that does not match the posting style of typical Reddit users in piracy communities.
In a particularly ironic touch, the macOS installation instructions include a helpful note for users whose system blocks the application from running. The post walks them through opening System Settings, navigating to Privacy and Security, and explicitly allowlisting the malware. The threat actor is essentially providing a step-by-step guide for victims to disable the exact security control that would have protected them.
Payload Delivery
Each of the identified subreddit posts contains three outgoing links to externally hosted payloads, one each for Windows, macOS and macOS 15. What makes the delivery infrastructure particularly interesting is that every single hosting domain belongs to a legitimate, existing company. These are not throwaway domains registered for the campaign. They are real business websites that appear to have been compromised, with the malware files placed in subdirectories like /share/ or /tvwin/ alongside the company’s normal web content. How exactly these sites were compromised remains unclear, but the pattern of using hijacked legitimate infrastructure for hosting adds another layer of trust for victims who might check the domain reputation before downloading.
The following distribution URLs were identified across the campaign.
| Domain | Windows | macOS | macOS 15+ |
|---|---|---|---|
fotoflux[.]com | /share/ | ||
ghatreh[.]co | /share_windows/ | /share_macos/ | /share_macos_15/ |
hitechprovider[.]com | /tvwin/ | /macs/ | /mac15s/ |
techadapt[.]io | /share_windows/ | /share_macos/ | /share_macos_15/ |
qwayglobalventures[.]com | /wintv/ | /macapp/ | /mac15app/ |
Malware Analysis
Clicking the Windows download link delivers a ZIP archive that itself contains a second, password-protected archive inside. The macOS link delivers a single password-protected ZIP without the double nesting. In both cases, the password is provided directly in the Reddit post, either github or codeberg depending on the variant. The password protection prevents automated scanning engines at network boundaries and in cloud sandboxes from unpacking and inspecting the contents, meaning the payload passes through most security controls uninspected.
Once extracted, the contents differ significantly between Windows and macOS, though both ultimately serve the same goal of stealing credentials, browser data and cryptocurrency wallets.
Windows Payload
The delivery technique on the Windows side follows a pattern well established in Vidar distribution campaigns. The archive extracts to what appears to be a standard application directory containing an executable alongside several DLL files and folders with names borrowed from Linux system paths such as apt, usbutils, binfmts and gems. These directories serve no functional purpose and exist purely as padding to inflate the archive size. The executable itself, TradingView Premium Desktop.exe from archive 9867207751793bcf7ebcba467b16b61cd79bbb8cd90c6f33e55141770c967a43, weighs in at 784 megabytes.
That file size is not accidental. Most enterprise and consumer antivirus engines impose maximum file size limits for scanning, typically in the range of 100 to 400 megabytes. A 784-megabyte executable simply gets skipped during on-access and on-demand scans. Under the hood, the bloat sits inside the PE resource section, padded with hundreds of megabytes of null bytes.
The actual executable code is a legitimate Microsoft wextract.exe self-extracting cabinet shell compiled with Visual Studio 2017, weighing just 44 kilobytes. Its resource section contains a 1.7-megabyte Microsoft Cabinet archive holding 11 files with innocuous names like Ambassador, Half.gif, Impact.gif and Receipt.gif.
When executed, the self-extractor first runs sc.exe /?487953897489573453 as its primary command, a deliberately malformed service control query that produces no output and fails silently. This acts as a decoy for behavioral monitors that watch the initial process execution. Immediately after, it runs the post-extraction command cmd /v /c Set vyXYn=cmd & !vyXYn! < Receipt.gif, which enables delayed environment variable expansion and pipes the contents of Receipt.gif directly into the command interpreter. Despite its file extension, Receipt.gif is not an image. It is a 235-line obfuscated batch script that constructs its actual commands through a chain of Set variable assignments, where each variable holds a single character. Names like Carrier, Flux, Cdna, Corps and Tray map to F, y, A, k and 1 respectively, forming a character substitution alphabet. Between each assignment, random English dictionary words are inserted as junk lines to break up the pattern and defeat signature-based detection.
When the variable references are expanded, the batch script first sets the payload filename to Motivated.exe, creates a working directory, and then uses copy /b to concatenate the remaining cabinet files, Ambassador, Half.gif, Leaving, Lighter.gif and the others, into a single reassembled executable. The .gif files are not images. They are fragments of the actual Vidar payload that have been split apart to avoid detection as a complete malicious binary. Once reassembled, the script launches Motivated.exe with start /w, executing the final Vidar infostealer. Vidar is a well-documented commodity stealer sold on underground forums that targets browser credential stores, autofill data, cookie databases, cryptocurrency wallet files and local application tokens, exfiltrating everything over HTTP to an operator-controlled panel typically within seconds of execution.
macOS Payload
The macOS variant follows an infection chain consistent with known AMOS stealer distribution methods, though with its own delivery-specific characteristics. The download link serves a single password-protected ZIP file containing a disk image, TradingView.dmg. When the DMG is mounted, it presents the user with what looks like a standard macOS application installer, complete with a branded background image mimicking the TradingView aesthetic.
The application inside is a universal Mach-O binary compiled for both Intel x86_64 and Apple Silicon ARM64 architectures, ensuring it runs natively on every Mac sold in the past decade. In the variant delivered through ghatreh[.]co, the binary ships as a bare executable without a .app bundle wrapper, while a second variant created just three minutes later packages the same payload inside a proper TradingView.app bundle complete with an Info.plist and application icon. This suggests the operator was testing both delivery formats in parallel.
At just 217 kilobytes, the macOS payload is remarkably compact compared to its Windows counterpart. The binary is written in C++ and links only against libc++ and libSystem, keeping its import footprint minimal. It contains a single encrypted payload of roughly 49 kilobytes stored in its __const section. At runtime, the binary calls a function named crypt<49833> that iterates over the encrypted blob byte by byte, XORing each one against the low byte of a rolling PRNG state. The PRNG is a multiplicative linear congruential generator with a multiplier of 14213 and a modulus derived from a time-seed embedded in the binary. Each build uses a unique seed and modulus combination, making the encrypted payload polymorphic across variants while keeping the decryption logic identical. The decrypted output is a single massive AppleScript command string that gets passed directly to the C system() function for execution.
The decrypted AppleScript payload is an AMOS stealer. It begins by hiding the Terminal window from the user, then validates the local macOS account password through dscl . authonly to silently unlock Keychain access. From there it systematically harvests data from Chrome, Firefox, Safari, Brave, Edge and Opera, extracting login credentials, cookies, autofill entries and stored credit card data. It copies cryptocurrency wallet files from Exodus, Electrum and MetaMask, grabs Telegram session data, collects hardware UUIDs and full system profiles through system_profiler, and in a particularly aggressive move downloads and installs a fake Ledger hardware wallet application into the /Applications folder. All stolen data is packaged into ZIP archives using ditto and exfiltrated via HTTP POST to a hardcoded command and control server, with each request carrying a unique build identifier in the HTTP headers that allows the operator to track which campaign and payload variant generated the stolen data.
Detection and Prevention
We have seen infections from this campaign primarily on non-corporate, private devices, which aligns with the targeting of individual retail traders and cryptocurrency enthusiasts. However, organisations should not assume they are immune. Users who trade crypto or follow financial markets on personal time may well download these files on a work device, especially when working remotely.
For organisations, we recommend adding the identified distribution domains to web proxy and DNS blocklists. As a general security hygiene measure, blocking the download of password-protected ZIP and 7z archives at the email and web gateway level significantly reduces exposure to this type of delivery mechanism. Security teams with access to web proxy logs should also hunt for a pattern where Reddit browsing activity is followed shortly by a large ZIP download from an unrelated domain, as this behavioral chain is a strong indicator of this specific campaign.
On Windows endpoints, look for wextract.exe spawning cmd.exe with delayed variable expansion enabled, large executables with disproportionately bloated resource sections, and batch scripts performing sequential copy /b operations to reassemble files from fragments. On macOS, monitor for unsigned or ad-hoc signed applications executing osascript or calling system() immediately after launch, unexpected dscl . authonly calls attempting to validate user credentials, ditto creating ZIP archives in temporary directories, and outbound HTTP POST traffic from processes that should not be making network connections.
User awareness remains critical. Employees and individuals should understand that downloading cracked software is one of the most reliable infection vectors that threat actors exploit today. The promise of free premium software is almost always a trap.
For anyone uncertain whether they may have been affected, look for the known indicators of AMOS and Vidar stealer infections. If there is any doubt, treat it as a confirmed compromise and initiate incident response procedures immediately. Given the breadth of data these stealers harvest, a compromise likely means all browser-saved passwords, active session cookies, cryptocurrency wallet keys and locally stored tokens should be considered exposed.
Wrap Up
What makes this campaign effective is not technical sophistication but operational discipline. The threat actor maintains their subreddits, deletes warning comments in real time, rotates compromised hosting infrastructure when domains get flagged, and tailors payloads for three distinct platforms. The combination of aged Reddit accounts, LLM-generated convincing copy and hijacked legitimate websites creates a distribution pipeline that is difficult for platforms to detect and easy for users to trust. As long as people search for free versions of paid software, campaigns like this will continue to find victims.
Indicators of Compromise
Reddit Posts
- hxxps[://]www[.]reddit[.]com/r/BitBullito/comments/1o0ptij/free_tradingview_premium_unlocked_edition_for/
- hxxps[://]www[.]reddit[.]com/r/CryptoCurrencyDM/comments/1rbhg3l/tradingview_premium_free_v3120743_fully_unlocked/
- hxxps[://]www[.]reddit[.]com/r/ForexWinchester/comments/1o159qb/free_tradingview_premium_new_update_winmacos/
- hxxps[://]www[.]reddit[.]com/r/FXPulse/comments/1o7cq6m/tradingview_free_v21307353_september_2025_desktop/
- hxxps[://]www[.]reddit[.]com/r/GitHub_Source/comments/1s33skm/tradingview_premium_lifetime_edition_v296_windows/
Distribution Domains
fotoflux[.]comghatreh[.]cohitechprovider[.]comtechadapt[.]ioqwayglobalventures[.]com
Payload Archives
9867207751793bcf7ebcba467b16b61cd79bbb8cd90c6f33e55141770c967a43(Windows archive)af547cdc1b7a9dfa507257ee416a9f2b20b85444b5d6f2f080019250426e4394(macOS archive)61191267f2d8625268cd7e488a16ab5c7b67765fb2b9bc76e4d2d97def83395a(macOS 15+ archive)
C2 Infrastructure
217[.]119[.]139[.]117135[.]181[.]233[.]224
Archive Passwords
githubcodeberg
