Yosi Azwan/iStock /Getty Images Plus
Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- TikTok is a delivery platform for ClickFix social engineering attacks.
- We found live video examples of the scam for Photoshop and Windows.
- Clickfix is a popular new method of choice for threat actors.
TikTok is being exploited as a delivery platform to spread information-stealing malware and other payloads, with free software acting as the bait.
On October 17, Senior ISC Handler Xavier Mertens said in a post published on the SANS Institute’s Internet Storm Center website that the wave of attacks on TikTok leverages ClickFix social engineering techniques to dupe victims into downloading malware onto their systems.
Also: This new cyberattack tricks you into hacking yourself. Here’s how to spot it
In the example video posted by Mertens, a scammer has posted content — with over 500 likes — which pretends to provide watchers with an easy way to activate Photoshop for free.
The victim is asked to start PowerShell as an administrator and trigger one line of code, which then executes “Updater.exe,” which is actually AuroStealer, a Trojan designed to steal credentials and system information. An additional shellcode is also launched in memory.
ZDNET explored TikTok for similar videos and it was surprising how many were live. For example, in the screenshot below, the author was promoting a fake way to download and install Adobe Photoshop without the need for a license. Other examples we found included fake, free ways to license Microsoft Windows.
Charlie Osborne/ZDNET
What is Clickfix?
Clickfix is a particularly nasty social engineering technique that tries to bypass traditional anti-phishing protections by tricking users into “hacking” themselves.
Also: Best VPN services 2025: The fastest VPNs with the best networks, ranked
Instructions are given, in one form or another, which could include using a Windows shortcut and copy-pasting a snippet of code into a command prompt to trigger a PowerShell script. These instructions are laid out in a way that is easy to understand and are given a fake purpose — such as for fixing a minor technical glitch, a way to use paid software for free, or as a “life hack” for improving popular streaming services.
Once the victim has unwittingly opened up their device for exploitation, a malicious payload is deployed and executed. Malware recorded in Clickfix campaigns includes information stealers, Remote Access Trojans (RATs), ransomware, and worms.
Is this the first time TikTok and Clickfix have been linked?
Sadly, no. Back in March, cybersecurity researchers from Trend Micro reported that TikTok videos, potentially generated through AI tools, were being distributed on the platform to spread Vidar and StealC information stealers. A network of faceless accounts posted videos on topics including improving Spotify and included step-by-step instructions that, instead, launched a PowerShell command to load malware.
Also: 9 ways to delete yourself from the internet (and hide your identity online)
“The vast user base and algorithmic reach of social media platforms provide an ideal delivery mechanism for threat actors,” the researchers noted. “For attackers, this means broad distribution without the logistical burden of maintaining an infrastructure.”
Earlier this month, Microsoft warned that Clickfix is becoming increasingly popular as a method of infiltrating networks, stealing data, and deploying malware.
In the Redmond giant’s latest Digital Defense report, Microsoft said that since 2024, Clickfix tactics have been recorded as a method of initial access in 47% of attacks, ahead of phishing and password “spray and pray” attack methods.
How do I protect myself against Clickfix attacks?
Don’t execute a command on your device if you are not sure about the source of the code or its true purpose, especially if you find the instructions on social media, where they’re unlikely to be vetted. Now that you know this social engineering method exists, stay suspicious. Tell your friends, too.
