ClickFix Social Engineering Attacks Spread Infostealers via TikTok and Other Channels
Cybercriminals are increasingly leveraging ClickFix-style social engineering attacks to distribute information-stealing malware, with a notable surge in campaigns utilizing popular platforms such as TikTok. In these attacks, threat actors create videos or web pages that purport to offer legitimate activation guides or fixes for widely used software, including Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro. The core technique involves tricking users into copying and pasting malicious PowerShell commands or scripts into their systems, often under the guise of resolving software issues or unlocking premium features. Once executed, these commands connect to attacker-controlled infrastructure to download and run additional payloads, such as the Aura Stealer malware, which is designed to harvest browser credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data. The attacks are highly effective due to their use of legitimate-looking lures, such as fake CAPTCHAs, embedded instructional videos, and professional web design, which lower user suspicion and bypass traditional security awareness training that focuses on phishing links and suspicious downloads. Security researchers have linked these tactics to both financially motivated cybercriminal groups, such as Interlock ransomware, and state-sponsored advanced persistent threats (APTs). Recent public breaches at organizations like Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been attributed to ClickFix-style techniques, though the full extent of their impact is likely underreported. The attacks are further amplified by the viral nature of social media platforms, where malicious videos can quickly reach large audiences. Technical analysis reveals that the malicious scripts often use JavaScript to automate clipboard actions, making the attack seamless for the victim. Once the initial payload is executed, additional malware may be downloaded to establish persistence or exfiltrate data. Security experts warn that user education must evolve to address these new attack vectors, emphasizing the dangers of running copied commands and the importance of verifying the source of any technical instructions. Organizations are advised to implement technical controls to block suspicious script execution and to monitor for signs of credential theft and unauthorized access. The growing prevalence of ClickFix attacks highlights the need for a multi-layered defense strategy that combines user awareness, endpoint protection, and proactive threat intelligence.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Further analysis highlights why ClickFix copy-paste attacks are driving breaches
A follow-up analysis published the next day examined the ClickFix technique more broadly, emphasizing that copy-and-paste social-engineering attacks were contributing to security breaches. This reflects additional technical and strategic detail about the same ongoing threat activity.
Security reports document ongoing ClickFix campaigns via TikTok videos
By mid-October 2025, security reporting described active ClickFix social-engineering campaigns in which TikTok videos were being used to push infostealer malware. The coverage indicates the tactic was continuing in the wild rather than representing a one-off disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Attacks Using TikTok Videos to Deliver Information-Stealing Malware
Threat actors have begun exploiting TikTok as a platform to distribute information-stealing malware through a new social engineering technique known as ClickFix. Attackers create TikTok videos that masquerade as tutorials for obtaining free software licenses, such as Adobe Photoshop or Microsoft Windows, enticing users with the promise of bypassing legitimate licensing requirements. These videos instruct viewers to execute specific commands in PowerShell with administrative privileges, a step that ultimately leads to the download and execution of malicious payloads. Security consultant Xavier Mertens, writing for the SANS Internet Storm Center, identified several live TikTok videos promoting these scams, some of which had garnered significant engagement from users. The primary malware delivered in these campaigns is AuroStealer, also referred to as Aura Stealer, a Trojan designed to exfiltrate credentials, system information, and potentially data from browser extensions and two-factor authentication tools. The ClickFix technique is particularly insidious because it circumvents traditional anti-phishing defenses by convincing users to take direct, risky actions on their own systems. ZDNET’s investigation revealed a surprising number of active scam videos on TikTok, with attackers frequently updating their content to evade detection. The social engineering aspect of ClickFix relies on the perceived legitimacy and popularity of TikTok influencers, making the scam more convincing to unsuspecting users. Once the PowerShell command is executed, the victim’s system downloads 'Updater.exe,' which is the malicious payload, and may also execute additional shellcode in memory to further compromise the device. The impact of these attacks can be severe, as AuroStealer is capable of harvesting sensitive information from a wide range of applications and browsers, potentially leading to account takeovers and further compromise. Security experts warn that the use of mainstream social media platforms like TikTok for malware distribution represents an evolution in threat actor tactics, leveraging the trust and reach of these networks. The attacks highlight the need for increased user awareness and skepticism regarding software activation guides and similar content on social media. Organizations are advised to educate employees about the risks of following unsolicited technical instructions from unverified online sources. The incident underscores the importance of monitoring emerging social engineering trends and adapting security controls to address new delivery vectors. Both references emphasize the role of TikTok as a delivery mechanism and the sophistication of the ClickFix technique in bypassing conventional security measures. The campaign demonstrates how attackers are constantly seeking new communication channels to reach potential victims and distribute malware effectively. Security professionals recommend implementing technical controls to restrict the execution of unauthorized scripts and monitoring for suspicious PowerShell activity. The ongoing prevalence of these scams on TikTok suggests that threat actors will continue to exploit popular social platforms for malicious purposes unless proactive measures are taken.
Mar 21, 2026
ClickFix Malware Attacks Employ Advanced Social Engineering and Multi-OS Support
Attackers have significantly upgraded the ClickFix malware delivery technique, incorporating sophisticated social engineering tactics inspired by online retail sites. Recent campaigns feature embedded tutorial videos, countdown timers, and dynamic counters such as "users verified in the last hour" to create a sense of urgency and legitimacy, closely mimicking trusted services like Cloudflare's bot checks. The malicious pages automatically detect the visitor's operating system and provide tailored instructions, even copying the necessary malicious code to the user's clipboard via JavaScript, making the infection process seamless and convincing for victims. ClickFix lures are distributed through multiple channels, including email, instant messaging, social networks, in-app phishing, and especially malvertising on platforms like Google Search, YouTube, and Steam. The primary objective is to trick users into pasting and executing malicious code, which typically results in the deployment of information-stealing malware. According to Push Security and the 2025 Microsoft Digital Defense report, ClickFix has become the most prevalent initial access method, accounting for nearly half of observed attacks in the past year. The evolution of these attacks, with multi-OS support and enhanced deception techniques, underscores the growing sophistication and reach of social engineering threats in the current threat landscape.
Mar 21, 2026
ClickFix-Themed Phishing Kits Exploiting Fake CAPTCHA Social Engineering
Security researchers have identified a surge in phishing campaigns leveraging the ClickFix social engineering technique, which exploits fake CAPTCHA challenges to compromise users. Palo Alto Networks discovered the 'IUAM ClickFix Generator,' a web-based phishing kit that enables attackers with minimal technical skills to craft convincing phishing pages. These pages mimic legitimate browser verification prompts, such as those used by content delivery networks and cloud security providers, to deceive users into believing they are interacting with authentic security checks. The phishing kit allows customization of the page's title, domain, content, and prompts, making each attack highly tailored and more likely to succeed. A key feature of the kit is its ability to detect the victim's operating system—Windows or macOS—and adjust the malicious payload accordingly, increasing the likelihood of successful exploitation. The phishing pages generated by this tool often instruct users to perform actions such as pressing Windows + R, pasting clipboard contents, and executing commands, which can result in the installation of infostealers or remote access trojans. The attack relies on clipboard manipulation, where the phishing page silently injects a malicious command into the user's clipboard, masked by a harmless-looking string to evade suspicion. Researchers have linked some of these campaigns to the Odyssey malware-as-a-service operation, suggesting a broader criminal ecosystem utilizing the ClickFix technique. The IUAM ClickFix Generator also incorporates obfuscation and automatic clipboard-copy JavaScript injection to further evade detection. Eye Security and other cybersecurity experts have observed that these attacks are distributed through various channels, including SEO poisoning, malvertising, and spearphishing. In response, Eye Security developed 'ClickFix Block,' a browser extension designed to detect and block fake CAPTCHA attacks before they can manipulate the clipboard. The extension is available for Chrome and Edge browsers and aims to provide early protection against this emerging threat. The rise of ClickFix attacks highlights the evolving sophistication of social engineering tactics, as attackers increasingly exploit familiar web security mechanisms to gain user trust. The campaigns target both Windows and macOS users, demonstrating cross-platform adaptability. Security researchers emphasize the importance of user awareness and technical defenses, such as browser extensions, to mitigate the risk posed by these phishing kits. The ongoing analysis of ClickFix-themed attacks underscores the need for organizations to update their security training and technical controls to address this novel threat vector. The discovery of customizable phishing kits like IUAM ClickFix Generator signals a democratization of advanced phishing techniques, making them accessible to a wider range of cybercriminals. As these attacks continue to evolve, collaboration between security vendors and researchers remains critical to developing effective countermeasures. Organizations are advised to monitor for signs of clipboard manipulation and educate users about the dangers of executing commands copied from untrusted web pages. The ClickFix phenomenon represents a significant shift in phishing tactics, leveraging both technical and psychological manipulation to achieve compromise.
Mar 21, 2026