Cybercriminals are now using TikTok videos to trick users into installing dangerous malware. These sophisticated ClickFix attacks distribute both Vidar and StealC information-stealing malware variants. Trend Micro security researchers recently discovered this widespread social engineering phishing campaign. The threat actors involved use videos that are very likely generated using AI tools. These videos instruct unsuspecting viewers to run specific PowerShell commands on their computers. The commands are cleverly disguised as steps to activate Windows or Microsoft Office. They also falsely claim to unlock premium features in legitimate software like CapCut. TikTok’s algorithmic reach significantly increases the likelihood of widespread victim exposure to these scams. One such malicious video reached over half a million views with many likes.
In the videos attackers prompt viewers to run a specific PowerShell download execution command.
This command instead downloads and then executes a malicious remote script from a server. This script then secretly installs either Vidar or StealC information-stealing malware onto systems. The malware is launched as a completely hidden process with highly elevated system permissions. Once deployed the Vidar malware can take many desktop screenshots and steal credentials. It also targets credit cards browser cookies cryptocurrency wallets and Authy 2FA authenticator databases. StealC malware can also harvest a wide range of sensitive information from infected computers. It specifically targets data from dozens of web browsers and also many cryptocurrency wallets. After initial compromise a second script adds a registry key for automatic startup. This action ensures the malware achieves long-term persistence on the victim’s now compromised system.
The ClickFix tactic employs fake system errors or various online verification system prompts. For example it might use deceptive CAPTCHA prompts to trick its potential targets. It aims to make users run malicious scripts to download and install malware. While generally targeting Windows users ClickFix also attacks macOS and Linux computer users. Even sophisticated state-sponsored threat groups have used very similar tactics in their attacks. This is not the first time TikTok videos were used to push malware. A previous ‘Invisible Challenge’ on TikTok infected thousands with the WASP Stealer malware. This new campaign cleverly uses faceless videos possibly AI-generated to provide malware instructions. This approach leaves no malicious code directly on the TikTok platform for easy detection.
The infection process begins when users execute the PowerShell command shown in TikTok videos.
This innocuous-looking command downloads and then immediately runs a harmful remote script. Upon execution the script creates hidden directories and adds Windows Defender exclusion list entries. This is a sophisticated evasion technique helping malware to successfully avoid standard antivirus detection. The malware then proceeds to download additional payloads including Vidar and StealC infostealers. Vidar for instance uses Steam profiles and Telegram channels as Dead Drop Resolvers. This technique effectively hides its actual command-and-control (C2) server infrastructure from researchers. The campaign effectively blends social engineering with more advanced technical exploitation of user trust. Users should maintain healthy skepticism towards any unsolicited technical instructions found on social media.
Reference:
