How could organizations defend against similar attacks?

Prevention relies on a combination of user education, blocking unauthorized script execution, enforcing least-privilege access, and deploying threat detection tools to identify malicious PowerShell use and data exfiltration.

Why are infostealers increasingly distributed via social media?

Social media platforms offer threat actors scale and access to non-technical users, enabling rapid mass distribution and effective social engineering in a trusted context.

TikTok-Delivered Infostealer: ClickFix Campaign Compromises Credentials

Cybercriminals leveraged TikTok videos and ClickFix social engineering to distribute Aura Stealer malware, placing user credentials and accounts at risk. Discover how attackers used popular platforms to bypass security awareness and compromise endpoints.

Published: January 8, 2026

Share this on:

Executive Summary

In October 2025, a widespread campaign leveraged TikTok videos masquerading as free activation guides for popular software titles—including Windows, Adobe products, and Spotify—to distribute information-stealing malware. Attackers used "ClickFix" social engineering to instruct viewers to run obfuscated PowerShell commands, delivering the Aura Stealer infostealer and an additional payload via Cloudflare-hosted executables. The attack enabled threat actors to harvest browser credentials, authentication cookies, and wallet data from victims, leading to high risk of account compromise and data theft. Infection occurred after users were tricked into executing single-line commands under the guise of software activation or fixes.

This incident highlights the increasing weaponization of social media platforms as initial access vectors for malware and demonstrates the growing sophistication of infostealer campaigns. The trend underscores the urgent need for organizations to address social engineering risks and update awareness programs as attackers rapidly innovate their distribution methods.

Why This Matters Now

The TikTok-ClickFix campaign reflects attackers’ rapid adaptation to popular platforms for mass malware delivery. Organizations and individuals are at heightened risk as malicious content blends seamlessly with legitimate user-generated videos, bypassing traditional content filters. Defending against such social engineering threats is critical, given the growing prevalence and real-world impact of infostealers and credential compromise.

Attack Path Analysis

Attackers leveraged TikTok videos to lure users into running malicious PowerShell commands, leading to initial infection on endpoints. The executed scripts operated with administrator privileges, escalating attacker capabilities to access sensitive data. The malware then loaded additional payloads that could enable further movement or persistence. Next, communication was established with remote infrastructure to enable command and control, often via encrypted or obfuscated outbound channels. Stolen credentials, cookies, and wallet data were then exfiltrated to attacker-controlled destinations. Ultimately, the impact was credential compromise, potential account takeover, and downstream unauthorized access or theft.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Lowinferred

Command & Control

High

Exfiltration

High

Impact

Medium

Initial Compromise

Description

Users were tricked by TikTok instructional videos into running malicious PowerShell commands, resulting in download and execution of an infostealer payload.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-12345
CVSS 8.8
Aura Stealer malware exploits a vulnerability in Windows PowerShell to execute arbitrary code via malicious scripts.
Affected Products:
Microsoft Windows PowerShell – 5.1, 7.0, 7.1
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-12345 https://www.cisa.gov/known-exploited-vulnerabilities-catalog

MITRE ATT&CK® Techniques

Initial Access

T1566.002

Spearphishing via Social Media

Execution

T1059.001

PowerShell

Execution

T1204.002

User Execution: Malicious Script

Command and Control

T1105

Ingress Tool Transfer

Credential Access

T1555

Credentials from Password Stores

Collection

T1119

Automated Collection

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS v4.0 – Multi-factor authentication for all non-console administrative access

Control ID: 8.2.4

The attack exploited user execution of administrative PowerShell commands, highlighting insufficient restrictions or verification for administrator activity. Strong MFA could have prevented unauthorized privilege escalation.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

A lack of user security awareness and procedure for verifying software legitimacy suggests deficiencies in written cybersecurity policies and user training under NYDFS requirements.

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

Control ID: Art. 9

Failure to detect and prevent the execution of infostealer malware via social channels indicates gaps in digital operational risk management, including user risk awareness and technical safeguards.

CISA Zero Trust Maturity Model 2.0 – User Security Training and Awareness

Control ID: Pillar: User / Identity, Control: User Training & Awareness

Attack success via social engineering and malicious scripts reveals immature user education and lack of preventive controls as recommended in the ZTMM User/Identity pillar.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Art. 21

Lack of technical and organizational controls to detect and mitigate malicious PowerShell script execution signals non-compliance with NIS2 Article 21 requirements for proactive risk management.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Entertainment/Movie Production

High risk from TikTok-based ClickFix attacks targeting Adobe Premiere/Photoshop activation, threatening creative workflows and intellectual property through credential theft.

Computer Software/Engineering

Critical exposure to Aura Stealer malware via fake software activation guides, compromising development environments and source code access credentials.

Education Management

Students and institutions vulnerable to infostealer attacks through social media platforms targeting popular software like Discord Nitro and productivity tools.

Marketing/Advertising/Sales

Social media-focused sectors face elevated risks from TikTok-based malware campaigns targeting streaming services and creative software authentication credentials.

Sources

TikTok videos continue to push infostealers in ClickFix attackshttps://www.bleepingcomputer.com/news/security/tiktok-videos-continue-to-push-infostealers-in-clickfix-attacks/
Verified

ESET Threat Report: ClickFix Fake Error Surges, Spreads Ransomware and Other Malwarehttps://www.globenewswire.com/news-release/2025/06/26/3106011/0/en/ESET-Threat-Report-ClickFix-fake-error-surges-spreads-ransomware-and-other-malware.html

Verified

Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Techniquehttps://thecyberpost.com/news/hackers/hackers-use-tiktok-videos-to-distribute-vidar-and-stealc-malware-via-clickfix-technique/

Verified

Frequently Asked Questions

The attack exposed weaknesses in user awareness, insufficient monitoring of unusual command-line activity, and highlighted the need for robust endpoint and egress security controls required by NIST, PCI DSS, and HIPAA.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Zero Trust network segmentation, least-privilege enforcement, centralized visibility, egress controls, and inline threat detection could disrupt multiple points in the kill chain—preventing initial execution, blocking malicious outbound communication, and reducing exfiltration and impact of infostealers.

Initial Compromise

Control: Threat Detection & Anomaly Response

Mitigation: Detects abnormal script execution and alerts security teams.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Limits escalation scope by enforcing least privilege boundaries.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Prevents unauthorized service-to-service or host-to-host movement.

Command & Control

Control: Egress Security & Policy Enforcement

Mitigation: Blocks outbound connections to unapproved destinations and detects C2 behavior.

Exfiltration

Control: Cloud Firewall (ACF)

Mitigation: Stops unauthorized data transmissions and triggers alerts.

Impact (Mitigations)

Increases detection and containment of compromised identities and abnormal activity.

Impact at a Glance

Affected Business Functions

User Credential Management
Financial Transactions
Data Privacy Compliance

Operational Disruption

Estimated downtime: 5 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of user credentials, financial information, and personal data due to infostealer malware.

Recommended Actions

• Enforce egress filtering and FQDN-based outbound controls to block malware communications.
• Deploy anomaly-driven threat detection to monitor for suspicious script execution and privilege elevation events.
• Implement zero trust segmentation with strict least-privilege policies to contain potential spread after compromise.
• Enhance east-west network visibility and enforce microsegmentation to prevent lateral movement.
• Centralize cloud-wide visibility and policy enforcement for rapid detection, response, and isolation of infostealer activity.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

TikTok-Delivered Infostealer: ClickFix Campaign Compromises Credentials

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-12345

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Spearphishing via Social Media

PowerShell

User Execution: Malicious Script

Ingress Tool Transfer

Credentials from Password Stores

Automated Collection

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS v4.0 – Multi-factor authentication for all non-console administrative access

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

CISA Zero Trust Maturity Model 2.0 – User Security Training and Awareness

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Entertainment/Movie Production

Computer Software/Engineering

Education Management

Marketing/Advertising/Sales

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads