{"id":1526,"date":"2025-05-23T12:50:34","date_gmt":"2025-05-23T09:50:34","guid":{"rendered":"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/"},"modified":"2025-05-23T12:50:34","modified_gmt":"2025-05-23T09:50:34","slug":"tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns","status":"publish","type":"post","link":"https:\/\/trustcrypt.com\/ar\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/","title":{"rendered":"TikTok Videos Now Facilitate Infostealer Malware Distribution in ClickFix Campaigns"},"content":{"rendered":"<p style=\"text-align:center\"><img loading=\"lazy\" decoding=\"async\" alt=\"TikTok\" height=\"900\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns.jpg\" width=\"1600\"><\/p>\n<p>Recent investigations have revealed a troubling trend where cybercriminals are exploiting TikTok videos as a vehicle to distribute Vidar and StealC information-stealing malware through ClickFix attacks.<\/p>\n<p>According to insights from Trend Micro, the perpetrators of this social engineering scheme are utilizing videos, likely generated via artificial intelligence, which urge viewers to execute commands that supposedly activate Windows, Microsoft Office, and premium features of software such as CapCut and Spotify.<\/p>\n<p>\u201cThis attack involves videos that instruct users to run PowerShell commands disguised as software activation procedures. TikTok&#8217;s broad algorithmic reach significantly amplifies the potential for widespread victimization, with certain videos garnering over half a million views,\u201d Trend Micro highlighted. <\/p>\n<p>These videos exhibit striking similarities with only minor variations in camera angles and the download links utilized by PowerShell to retrieve the malicious payload, suggesting the use of automation in their creation. Additionally, the instructional voiceover appears to be AI-generated, further indicating the involvement of AI tools in producing this content.<\/p>\n<p>One notable video purporting to enhance users&#8217; Spotify experience has amassed nearly 500,000 views, received over 20,000 likes, and generated upwards of 100 comments.<\/p>\n<div style=\"text-align:center\">\n<figure class=\"image\" style=\"display:inline-block\"><img loading=\"lazy\" decoding=\"async\" alt=\"TikTok ClickFix video\" height=\"424\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns-1.jpg\" width=\"700\"><figcaption><em>TikTok ClickFix video (Trend Micro)<\/em><\/figcaption><\/figure>\n<\/div>\n<p>In these videos, attackers encourage viewers to execute a PowerShell command that downloads and runs a remote script from <em>hxxps:\/\/allaivo[.]me\/spotify<\/em>, leading to the installation of Vidar or StealC malware, which is subsequently launched as a hidden process with elevated permissions.<\/p>\n<p>Upon activation, <a href=\"https:\/\/www.bleepingcomputer.com\/tag\/vidar\/\" target=\"_blank\" rel=\"nofollow noopener\">Vidar<\/a> has the capability to capture desktop screenshots and exfiltrate sensitive data including login credentials, credit card information, cookies, cryptocurrency wallets, text files, and Authy 2FA databases.<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/tag\/stealc\/\" target=\"_blank\" rel=\"nofollow noopener\">Stealc<\/a> is similarly equipped to gather a wide array of sensitive information from infected machines, specifically targeting numerous web browsers and cryptocurrency wallets.<\/p>\n<p>Once the device is compromised, the malicious script fetches a second PowerShell payload from <em>hxxps:\/\/amssh[.]co\/script[.]ps1<\/em>, which introduces a registry key that ensures the malware executes on system startup.<\/p>\n<div style=\"text-align:center\">\n<figure class=\"image\" style=\"display:inline-block\"><img loading=\"lazy\" decoding=\"async\" alt=\"Attack flow\" height=\"367\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns-2.jpg\" width=\"700\"><figcaption><em>Attack flow (Trend Micro)<\/em><\/figcaption><\/figure>\n<\/div>\n<h2>Definition of ClickFix<\/h2>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/tag\/clickfix\/\" target=\"<em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>ClickFix<\/a> is a malicious tactic wherein attackers employ fabricated error messages or verification prompts, such as <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/iclicker-hack-targeted-students-with-malware-via-fake-captcha\/\" target=\"<\/em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>CAPTCHA prompts<\/a>, to lure unsuspecting victims into executing harmful scripts that install malware on their devices.<\/p>\n<p>While primarily aimed at <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/over-6-000-wordpress-sites-hacked-to-install-plugins-pushing-infostealers\/\" target=\"<em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>Windows<\/a> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/interlock-ransomware-gang-pushes-fake-it-tools-in-clickfix-attacks\/\" target=\"<\/em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>users<\/a> through PowerShell scripts, ClickFix has increasingly been employed against <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-google-meet-conference-errors-push-infostealing-malware\/\" target=\"<em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>macOS<\/a> and <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-now-testing-clickfix-attacks-against-linux-targets\/\" target=\"<\/em>blank&#8221; rel=&#8221;nofollow noopener&#8221;>Linux<\/a> users as well.<\/p>\n<p>State-sponsored advanced persistent threat (APT) groups have similarly executed these types of attacks. Notable threats such as APT28 and ColdRiver from Russia, Kimsuky from North Korea, and MuddyWater from Iran have all employed similar tactics in recent espionage campaigns.<\/p>\n<p>This latest TikTok-related incident is not an isolated case; there have been previous instances where cybercriminals used the platform to disseminate malware. For example, a trending TikTok challenge known as the &#8216;Invisible Challenge&#8217; resulted in the infection of thousands of users through a malicious application that delivered <a href=\"https:\/\/medium.com\/checkmarx-security\/wasp-attack-on-python-polymorphic-malware-shipping-wasp-stealer-infecting-hundreds-of-victims-10e92439d192\" target=\"_blank\" rel=\"nofollow noopener\">WASP Stealer (Discord Token Grabber) malware<\/a>.<\/p>\n<p>This malware spread through videos that rapidly obtained over a million views shortly after release and could compromise Discord accounts, passwords, credit card details, and cryptocurrency wallet information.<\/p>\n<p>In recent years, there has also been a significant increase in scams circulating on TikTok, including fake cryptocurrency giveaways, frequently leveraging celebrities such as Elon Musk, Tesla, or SpaceX as bait.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recent investigations have revealed a troubling trend where cybercriminals are exploiting TikTok videos as a vehicle to distribute Vidar and&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1527,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[54,265,626],"class_list":["post-1526","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-malware","tag-powershell","tag-tiktok"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TikTok Videos Now Facilitate Infostealer Malware Distribution in ClickFix Campaigns - Trustcrypt<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustcrypt.com\/ar\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/\" \/>\n<meta property=\"og:locale\" content=\"ar_AR\" \/>\n<meta property=\"og:locale:alternate\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"TikTok Videos Now Facilitate Infostealer Malware Distribution in ClickFix Campaigns\" \/>\n<meta property=\"og:description\" content=\"Recent investigations have revealed a troubling trend where cybercriminals are exploiting TikTok videos as a vehicle to distribute Vidar and...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/trustcrypt.com\/ar\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/\" \/>\n<meta property=\"og:site_name\" content=\"Trustcrypt\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-23T09:50:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns.jpg\" \/>\n<meta name=\"author\" content=\"Trustscrypt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629\" \/>\n\t<meta name=\"twitter:data1\" content=\"Trustscrypt\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u062f\u0642\u0627\u0626\u0642\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/\",\"url\":\"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/\",\"name\":\"TikTok Videos Now Facilitate Infostealer Malware Distribution in ClickFix Campaigns\",\"isPartOf\":{\"@id\":\"https:\/\/trustcrypt.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns.webp\",\"datePublished\":\"2025-05-23T09:50:34+00:00\",\"author\":{\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\"},\"inLanguage\":\"ar\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/#primaryimage\",\"url\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns.webp\",\"contentUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns.webp\",\"width\":1792,\"height\":1024,\"caption\":\"TikTok Videos Now Facilitate Infostealer Malware Distribution in ClickFix Campaigns\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/trustcrypt.com\/#website\",\"url\":\"https:\/\/trustcrypt.com\/\",\"name\":\"Trustcrypt\",\"description\":\"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/trustcrypt.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ar\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\",\"name\":\"Trustscrypt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"caption\":\"Trustscrypt\"},\"sameAs\":[\"http:\/\/trustcrypt.com\"],\"url\":\"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TikTok Videos Now Facilitate Infostealer Malware Distribution in ClickFix Campaigns - Trustcrypt","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustcrypt.com\/ar\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/","og_locale":"ar_AR","og_type":"article","og_title":"[:en]TikTok Videos Now Facilitate Infostealer Malware Distribution in ClickFix Campaigns[:] - Trustcrypt","og_description":"Recent investigations have revealed a troubling trend where cybercriminals are exploiting TikTok videos as a vehicle to distribute Vidar and...","og_url":"https:\/\/trustcrypt.com\/ar\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/","og_site_name":"Trustcrypt","article_published_time":"2025-05-23T09:50:34+00:00","og_image":[{"url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns.jpg","type":"","width":"","height":""}],"author":"Trustscrypt","twitter_card":"summary_large_image","twitter_misc":{"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629":"Trustscrypt","\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631":"3 \u062f\u0642\u0627\u0626\u0642"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/","url":"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/","name":"TikTok Videos Now Facilitate Infostealer Malware Distribution in ClickFix Campaigns","isPartOf":{"@id":"https:\/\/trustcrypt.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/#primaryimage"},"image":{"@id":"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/#primaryimage"},"thumbnailUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns.webp","datePublished":"2025-05-23T09:50:34+00:00","author":{"@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f"},"inLanguage":"ar","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/"]}]},{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns\/#primaryimage","url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns.webp","contentUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/tiktok-videos-now-facilitate-infostealer-malware-distribution-in-clickfix-campaigns.webp","width":1792,"height":1024,"caption":"TikTok Videos Now Facilitate Infostealer Malware Distribution in ClickFix Campaigns"},{"@type":"WebSite","@id":"https:\/\/trustcrypt.com\/#website","url":"https:\/\/trustcrypt.com\/","name":"Trustcrypt","description":"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustcrypt.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ar"},{"@type":"Person","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f","name":"Trustscrypt","image":{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","caption":"Trustscrypt"},"sameAs":["http:\/\/trustcrypt.com"],"url":"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/"}]}},"_links":{"self":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/comments?post=1526"}],"version-history":[{"count":0,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1526\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media\/1527"}],"wp:attachment":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media?parent=1526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/categories?post=1526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/tags?post=1526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}