ClickFix Social Engineering Attacks Using TikTok Videos to Deliver Information-Stealing Malware
Threat actors have begun exploiting TikTok as a platform to distribute information-stealing malware through a new social engineering technique known as ClickFix. Attackers create TikTok videos that masquerade as tutorials for obtaining free software licenses, such as Adobe Photoshop or Microsoft Windows, enticing users with the promise of bypassing legitimate licensing requirements. These videos instruct viewers to execute specific commands in PowerShell with administrative privileges, a step that ultimately leads to the download and execution of malicious payloads. Security consultant Xavier Mertens, writing for the SANS Internet Storm Center, identified several live TikTok videos promoting these scams, some of which had garnered significant engagement from users. The primary malware delivered in these campaigns is AuroStealer, also referred to as Aura Stealer, a Trojan designed to exfiltrate credentials, system information, and potentially data from browser extensions and two-factor authentication tools. The ClickFix technique is particularly insidious because it circumvents traditional anti-phishing defenses by convincing users to take direct, risky actions on their own systems. ZDNET’s investigation revealed a surprising number of active scam videos on TikTok, with attackers frequently updating their content to evade detection. The social engineering aspect of ClickFix relies on the perceived legitimacy and popularity of TikTok influencers, making the scam more convincing to unsuspecting users. Once the PowerShell command is executed, the victim’s system downloads 'Updater.exe,' which is the malicious payload, and may also execute additional shellcode in memory to further compromise the device. The impact of these attacks can be severe, as AuroStealer is capable of harvesting sensitive information from a wide range of applications and browsers, potentially leading to account takeovers and further compromise. Security experts warn that the use of mainstream social media platforms like TikTok for malware distribution represents an evolution in threat actor tactics, leveraging the trust and reach of these networks. The attacks highlight the need for increased user awareness and skepticism regarding software activation guides and similar content on social media. Organizations are advised to educate employees about the risks of following unsolicited technical instructions from unverified online sources. The incident underscores the importance of monitoring emerging social engineering trends and adapting security controls to address new delivery vectors. Both references emphasize the role of TikTok as a delivery mechanism and the sophistication of the ClickFix technique in bypassing conventional security measures. The campaign demonstrates how attackers are constantly seeking new communication channels to reach potential victims and distribute malware effectively. Security professionals recommend implementing technical controls to restrict the execution of unauthorized scripts and monitoring for suspicious PowerShell activity. The ongoing prevalence of these scams on TikTok suggests that threat actors will continue to exploit popular social platforms for malicious purposes unless proactive measures are taken.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
TikTok ClickFix campaigns linked to AuroStealer, Vidar, and StealC
Follow-up reporting identified malware delivered through the TikTok-based ClickFix campaigns, including AuroStealer as well as Vidar and StealC information stealers, with broader payloads also including RATs, ransomware, and worms.
Researchers report TikTok videos used to spread ClickFix malware lures
Security reporting in October 2025 described threat actors using TikTok videos and faceless or AI-generated accounts to distribute ClickFix instructions, often promising free software or technical fixes to trick users into running malicious PowerShell commands.
Mimecast documents broader 2025 rise in ClickFix and AI-enabled BEC
In its Global Threat Intelligence Report covering January through September 2025, Mimecast described increased use of ClickFix lures and AI-generated business email compromise content, including multi-party impersonation threads and urgent payment fraud themes.
Mimecast records 500% growth in ClickFix activity in H1 2025
Mimecast said ClickFix activity surged 500% in the first half of 2025 and made up about 8% of all attacks in its telemetry, highlighting rapid growth in human-targeted intrusion techniques.
Microsoft observes ClickFix driving initial access incidents since 2024
Microsoft reported that since 2024, ClickFix social-engineering techniques accounted for 47% of initial access incidents it observed, indicating the method had overtaken more traditional phishing and password-based approaches.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Your phishing detection skills are no match for 2025's biggest security threats
zdnet.com
Open sourceHow Clickfix and AI are helping hackers break into your systems - at an alarming rate
zdnet.com
Open sourceIf a TikTok 'tech tip' tells you to paste code, it's a scam. Here's what's really happening
zdnet.com
Open sourceThis TikTok scam promises you a free Photoshop or Windows license - and then steals your info
zdnet.com
Open sourceTikTok video promising you free Photoshop or Windows license? Don't do it - it's a scam
zdnet.com
Open sourceIllicit TikTok videos harnessed in ClickFix attack
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Attacks Spread Infostealers via TikTok and Other Channels
Cybercriminals are increasingly leveraging ClickFix-style social engineering attacks to distribute information-stealing malware, with a notable surge in campaigns utilizing popular platforms such as TikTok. In these attacks, threat actors create videos or web pages that purport to offer legitimate activation guides or fixes for widely used software, including Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro. The core technique involves tricking users into copying and pasting malicious PowerShell commands or scripts into their systems, often under the guise of resolving software issues or unlocking premium features. Once executed, these commands connect to attacker-controlled infrastructure to download and run additional payloads, such as the Aura Stealer malware, which is designed to harvest browser credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data. The attacks are highly effective due to their use of legitimate-looking lures, such as fake CAPTCHAs, embedded instructional videos, and professional web design, which lower user suspicion and bypass traditional security awareness training that focuses on phishing links and suspicious downloads. Security researchers have linked these tactics to both financially motivated cybercriminal groups, such as Interlock ransomware, and state-sponsored advanced persistent threats (APTs). Recent public breaches at organizations like Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been attributed to ClickFix-style techniques, though the full extent of their impact is likely underreported. The attacks are further amplified by the viral nature of social media platforms, where malicious videos can quickly reach large audiences. Technical analysis reveals that the malicious scripts often use JavaScript to automate clipboard actions, making the attack seamless for the victim. Once the initial payload is executed, additional malware may be downloaded to establish persistence or exfiltrate data. Security experts warn that user education must evolve to address these new attack vectors, emphasizing the dangers of running copied commands and the importance of verifying the source of any technical instructions. Organizations are advised to implement technical controls to block suspicious script execution and to monitor for signs of credential theft and unauthorized access. The growing prevalence of ClickFix attacks highlights the need for a multi-layered defense strategy that combines user awareness, endpoint protection, and proactive threat intelligence.
Mar 21, 2026
Malware Distribution via Social Engineering and Malicious Packages
Attackers are increasingly leveraging both social media platforms and software supply chains to distribute malware and post-exploitation frameworks. On TikTok, a video with over 500 likes was discovered promoting a method to illegally activate Photoshop, which in reality instructs users to run a PowerShell command as an administrator. This command fetches and executes malicious PowerShell code from a remote server, with the code identified by a specific SHA256 hash and flagged by multiple antivirus engines. The script then downloads a secondary payload, updater.exe, which is identified as the AuroStealer malware. Persistence is achieved by creating a scheduled task under various plausible system task names, ensuring the malware runs at user logon. The scheduled task is configured to run with the highest privileges and is designed to evade user detection by running in hidden mode. The AuroStealer component is capable of stealing sensitive information from the infected system, posing a significant risk to victims who follow the TikTok video's instructions. Separately, the npm ecosystem was found to be hosting a malicious package named https-proxy-utils, which masqueraded as a legitimate proxy utility. This package cloned functionality from popular proxy packages to appear trustworthy, but included a post-install script that downloaded and executed the AdaptixC2 agent, a post-exploitation framework similar to Cobalt Strike. The malicious npm package was designed to target multiple operating systems, with OS-specific payload delivery mechanisms for Windows, Linux, and macOS. On Windows, the agent was dropped as a DLL in the system directory and executed via DLL sideloading using a copied legitimate executable. On macOS, the payload was placed in the user's autorun directory with a corresponding plist file to ensure persistence. The npm package was quickly removed after discovery, but its presence highlights the ongoing risks in open-source software repositories. Both incidents demonstrate the evolving tactics of threat actors, who exploit both user trust in social media and the software supply chain to deliver sophisticated malware. The use of social engineering on platforms like TikTok lowers the barrier for infection by convincing users to execute malicious commands themselves. Meanwhile, the abuse of npm packages shows how attackers can reach a wide audience of developers and users by mimicking legitimate software. These campaigns underscore the importance of user education, vigilant monitoring of software dependencies, and robust endpoint protection to mitigate the risk of malware infections. Organizations should be aware of these attack vectors and implement controls to prevent the execution of unauthorized scripts and the installation of unverified software. The convergence of social engineering and supply chain attacks represents a significant challenge for defenders, requiring a multi-layered security approach.
Mar 21, 2026
ClickFix Malware Attacks Employ Advanced Social Engineering and Multi-OS Support
Attackers have significantly upgraded the ClickFix malware delivery technique, incorporating sophisticated social engineering tactics inspired by online retail sites. Recent campaigns feature embedded tutorial videos, countdown timers, and dynamic counters such as "users verified in the last hour" to create a sense of urgency and legitimacy, closely mimicking trusted services like Cloudflare's bot checks. The malicious pages automatically detect the visitor's operating system and provide tailored instructions, even copying the necessary malicious code to the user's clipboard via JavaScript, making the infection process seamless and convincing for victims. ClickFix lures are distributed through multiple channels, including email, instant messaging, social networks, in-app phishing, and especially malvertising on platforms like Google Search, YouTube, and Steam. The primary objective is to trick users into pasting and executing malicious code, which typically results in the deployment of information-stealing malware. According to Push Security and the 2025 Microsoft Digital Defense report, ClickFix has become the most prevalent initial access method, accounting for nearly half of observed attacks in the past year. The evolution of these attacks, with multi-OS support and enhanced deception techniques, underscores the growing sophistication and reach of social engineering threats in the current threat landscape.
Mar 21, 2026