Malware Distribution via Social Engineering and Malicious Packages
Attackers are increasingly leveraging both social media platforms and software supply chains to distribute malware and post-exploitation frameworks. On TikTok, a video with over 500 likes was discovered promoting a method to illegally activate Photoshop, which in reality instructs users to run a PowerShell command as an administrator. This command fetches and executes malicious PowerShell code from a remote server, with the code identified by a specific SHA256 hash and flagged by multiple antivirus engines. The script then downloads a secondary payload, updater.exe, which is identified as the AuroStealer malware. Persistence is achieved by creating a scheduled task under various plausible system task names, ensuring the malware runs at user logon. The scheduled task is configured to run with the highest privileges and is designed to evade user detection by running in hidden mode. The AuroStealer component is capable of stealing sensitive information from the infected system, posing a significant risk to victims who follow the TikTok video's instructions. Separately, the npm ecosystem was found to be hosting a malicious package named https-proxy-utils, which masqueraded as a legitimate proxy utility. This package cloned functionality from popular proxy packages to appear trustworthy, but included a post-install script that downloaded and executed the AdaptixC2 agent, a post-exploitation framework similar to Cobalt Strike. The malicious npm package was designed to target multiple operating systems, with OS-specific payload delivery mechanisms for Windows, Linux, and macOS. On Windows, the agent was dropped as a DLL in the system directory and executed via DLL sideloading using a copied legitimate executable. On macOS, the payload was placed in the user's autorun directory with a corresponding plist file to ensure persistence. The npm package was quickly removed after discovery, but its presence highlights the ongoing risks in open-source software repositories. Both incidents demonstrate the evolving tactics of threat actors, who exploit both user trust in social media and the software supply chain to deliver sophisticated malware. The use of social engineering on platforms like TikTok lowers the barrier for infection by convincing users to execute malicious commands themselves. Meanwhile, the abuse of npm packages shows how attackers can reach a wide audience of developers and users by mimicking legitimate software. These campaigns underscore the importance of user education, vigilant monitoring of software dependencies, and robust endpoint protection to mitigate the risk of malware infections. Organizations should be aware of these attack vectors and implement controls to prevent the execution of unauthorized scripts and the installation of unverified software. The convergence of social engineering and supply chain attacks represents a significant challenge for defenders, requiring a multi-layered security approach.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Kaspersky publishes IOCs for the npm supply-chain campaign
Kaspersky disclosed technical details and indicators of compromise for the malicious package campaign, including hashes and cloudcenter[.]top infrastructure used to fetch payloads and configuration artifacts. The report framed the incident as part of a broader trend of npm ecosystem abuse for malware delivery.
Malicious npm package deploys AdaptixC2 agent
In October 2025, Kaspersky identified a malicious npm package named "https-proxy-utils" that impersonated a proxy utility and used a post-install script to download and execute an AdaptixC2 agent. The package delivered OS-specific payloads and persistence mechanisms for Windows, macOS, and Linux, including DLL sideloading on Windows.
AdaptixC2 is first observed in malicious activity
Researchers first observed AdaptixC2 being used maliciously in spring 2025. This marked the framework's transition from a public tool to one actively used in attacks.
AdaptixC2 framework is publicly released
AdaptixC2, a post-exploitation framework marketed as an alternative to Cobalt Strike, was publicly released in early 2025. This release preceded later malicious use observed by defenders.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Attacks Using TikTok Videos to Deliver Information-Stealing Malware
Threat actors have begun exploiting TikTok as a platform to distribute information-stealing malware through a new social engineering technique known as ClickFix. Attackers create TikTok videos that masquerade as tutorials for obtaining free software licenses, such as Adobe Photoshop or Microsoft Windows, enticing users with the promise of bypassing legitimate licensing requirements. These videos instruct viewers to execute specific commands in PowerShell with administrative privileges, a step that ultimately leads to the download and execution of malicious payloads. Security consultant Xavier Mertens, writing for the SANS Internet Storm Center, identified several live TikTok videos promoting these scams, some of which had garnered significant engagement from users. The primary malware delivered in these campaigns is AuroStealer, also referred to as Aura Stealer, a Trojan designed to exfiltrate credentials, system information, and potentially data from browser extensions and two-factor authentication tools. The ClickFix technique is particularly insidious because it circumvents traditional anti-phishing defenses by convincing users to take direct, risky actions on their own systems. ZDNET’s investigation revealed a surprising number of active scam videos on TikTok, with attackers frequently updating their content to evade detection. The social engineering aspect of ClickFix relies on the perceived legitimacy and popularity of TikTok influencers, making the scam more convincing to unsuspecting users. Once the PowerShell command is executed, the victim’s system downloads 'Updater.exe,' which is the malicious payload, and may also execute additional shellcode in memory to further compromise the device. The impact of these attacks can be severe, as AuroStealer is capable of harvesting sensitive information from a wide range of applications and browsers, potentially leading to account takeovers and further compromise. Security experts warn that the use of mainstream social media platforms like TikTok for malware distribution represents an evolution in threat actor tactics, leveraging the trust and reach of these networks. The attacks highlight the need for increased user awareness and skepticism regarding software activation guides and similar content on social media. Organizations are advised to educate employees about the risks of following unsolicited technical instructions from unverified online sources. The incident underscores the importance of monitoring emerging social engineering trends and adapting security controls to address new delivery vectors. Both references emphasize the role of TikTok as a delivery mechanism and the sophistication of the ClickFix technique in bypassing conventional security measures. The campaign demonstrates how attackers are constantly seeking new communication channels to reach potential victims and distribute malware effectively. Security professionals recommend implementing technical controls to restrict the execution of unauthorized scripts and monitoring for suspicious PowerShell activity. The ongoing prevalence of these scams on TikTok suggests that threat actors will continue to exploit popular social platforms for malicious purposes unless proactive measures are taken.
Mar 21, 2026
ClickFix Social Engineering Attacks Spread Infostealers via TikTok and Other Channels
Cybercriminals are increasingly leveraging ClickFix-style social engineering attacks to distribute information-stealing malware, with a notable surge in campaigns utilizing popular platforms such as TikTok. In these attacks, threat actors create videos or web pages that purport to offer legitimate activation guides or fixes for widely used software, including Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro. The core technique involves tricking users into copying and pasting malicious PowerShell commands or scripts into their systems, often under the guise of resolving software issues or unlocking premium features. Once executed, these commands connect to attacker-controlled infrastructure to download and run additional payloads, such as the Aura Stealer malware, which is designed to harvest browser credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data. The attacks are highly effective due to their use of legitimate-looking lures, such as fake CAPTCHAs, embedded instructional videos, and professional web design, which lower user suspicion and bypass traditional security awareness training that focuses on phishing links and suspicious downloads. Security researchers have linked these tactics to both financially motivated cybercriminal groups, such as Interlock ransomware, and state-sponsored advanced persistent threats (APTs). Recent public breaches at organizations like Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been attributed to ClickFix-style techniques, though the full extent of their impact is likely underreported. The attacks are further amplified by the viral nature of social media platforms, where malicious videos can quickly reach large audiences. Technical analysis reveals that the malicious scripts often use JavaScript to automate clipboard actions, making the attack seamless for the victim. Once the initial payload is executed, additional malware may be downloaded to establish persistence or exfiltrate data. Security experts warn that user education must evolve to address these new attack vectors, emphasizing the dangers of running copied commands and the importance of verifying the source of any technical instructions. Organizations are advised to implement technical controls to block suspicious script execution and to monitor for signs of credential theft and unauthorized access. The growing prevalence of ClickFix attacks highlights the need for a multi-layered defense strategy that combines user awareness, endpoint protection, and proactive threat intelligence.
Mar 21, 2026
Supply Chain Attacks and Remote Access Trojans Targeting NPM Ecosystem and Banking Sector
A series of sophisticated supply chain attacks have targeted the NPM ecosystem, compromising both widely used and niche packages to deliver malicious payloads. The "Shai-Hulud" campaign has infected at least 187 NPM packages, including the highly popular tinycolor package, which receives approximately 2 million downloads weekly. Attackers in this campaign modify package manifests, inject malicious files, and republish the compromised packages, resulting in downstream projects unknowingly incorporating malicious code. The worm-like nature of the attack allows it to spread rapidly to other maintainers' packages, amplifying the impact across the software supply chain. Delayed detection of these compromises increases the risk, as many projects may already be affected before the breach is discovered. The attack highlights the critical importance of verifying package signatures and maintaining a robust software bill of materials (SBOM) to trace dependencies and versions accurately. In a related but distinct campaign, a threat actor using the NPM account "ongtrieuhau861.001" has published at least 94 malicious packages, many of which are specifically crafted to target Asian banks. These packages, often named with the pattern "dhhdbankxxxxx" and similar variants, deliver a JavaScript-based Remote Access Trojan (RAT) dubbed "DHSollutionsBot." This RAT leverages Firebase Realtime Database for command and control, while exfiltrating stolen data through Discord webhooks, making detection more challenging due to the use of legitimate cloud services. The threat actor's NPM account history suggests either a long-term operation or the acquisition of an existing account for malicious purposes. The attack architecture is notable for its simplicity and effectiveness, combining two legitimate platforms for resilient and stealthy C2 operations. Both campaigns underscore the growing threat of supply chain attacks in the open-source ecosystem, where a single compromised package can have cascading effects on countless downstream projects. Developers and organizations are urged to implement cryptographic signing of packages, verify signatures before use, and maintain detailed SBOMs to mitigate the risk of such attacks. The incidents also demonstrate the need for continuous monitoring of package repositories and automated detection tools to identify and respond to malicious activity promptly. The use of trusted platforms like Discord and Firebase for C2 communications further complicates detection and response efforts. These attacks serve as a stark reminder that even well-established codebases can become vectors for compromise if their dependencies are not rigorously vetted and monitored. The campaigns have prompted renewed calls for improved security practices in the software development lifecycle, particularly in the management of third-party dependencies. Organizations are advised to review their exposure to affected NPM packages and take immediate remediation steps where necessary. The incidents highlight the evolving tactics of threat actors in targeting the software supply chain and the critical need for industry-wide vigilance.
Mar 21, 2026