Pierluigi Paganini May 26, 2025

Crooks use TikTok videos with fake tips to trick users into running commands that install Vidar and StealC malware in ClickFix attacks.

Cybercriminals leverage AI-generated TikTok videos in ClickFix attacks to spread Vidar and StealC malware, reports Trend Micro. These videos trick users into running PowerShell commands disguised as software activation steps for tools like Windows, Office, CapCut, or Spotify. The researchers pointed out that come videos have reached over 500,000 views, increasing the threat’s reach via TikTok’s algorithm.

“Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features.” reads the report published by Trend Micro. “This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware.”

Researchers discovered several TikTok accounts, now deactivated, posting the likely AI-generated videos. The videos are nearly identical, suggesting automated creation using AI for both visuals and voice, and were used to distribute malware payloads.

A TikTok video urging users to run a PowerShell command gained nearly 500,000 views, 20,000+ likes, and 100+ comments, showing high engagement and trust.

The video provides step-by-step instructions to run a PowerShell command that downloads malware. The script adds Windows Defender exclusions, downloads and runs Vidar or StealC malware, sets up persistence via the registry, and deletes traces, all while appearing simple and legitimate to users.

Vidar and StealC malware connect to command-and-control (C&C) servers after infection. Vidar uses legitimate services like Steam and Telegram as Dead Drop Resolvers (DDR) to hide C&C details, embedding server info in public profiles to avoid detection. StealC uses direct IP connections. This method helps threat actors obscure infrastructure and maintain persistence while reducing visibility to security tools.

“The shift to social media as a delivery mechanism for malware requires a corresponding reassessment in defense strategies. Traditional security controls that focus on malicious code detection, link scanning, and domain reputation are less effective against attacks that exploit user trust and obscure malicious intent.” concludes the report. “Security strategies must adopt a more holistic approach that includes social media monitoring, behavioral analysis, and targeted user education.” 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ClickFix)