TikTok activation-guide ClickFix infostealer campaign
Campaign
Summary
Hide ▲
Show ▼
A TikTok-based ClickFix campaign is using fake free activation guides to deliver info-stealing malware, putting users seeking software activations at risk of credential theft. The operation was observed again in May and October 2025, showing continued activity. Victims are pushed to run a PowerShell command that contacts slmgr[.]win and starts the malware chain.
Related Happenings
Vidar infostealer delivered through TikTok and Instagram Reels
Malware Activity
H score27
First: 10.06.2026 19:00
Last: 10.06.2026 19:00
Sources 1
About this happening:
Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...
Vidar infostealer delivered through TikTok and Instagram Reels
Malware ActivityAbout this happening: Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...
TikTok and Instagram Reels Vidar social-engineering campaign
Campaign
H score37
First: 10.06.2026 19:00
Last: 10.06.2026 19:00
Sources 1
About this happening:
A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...
TikTok and Instagram Reels Vidar social-engineering campaign
CampaignAbout this happening: A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
H score26
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
H score38
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Timeline
-
19.10.2025 21:28 2 articles · 8mo ago
TikTok ClickFix infostealer delivery chain
Technical Analysis UpdateCybercriminals are using TikTok videos disguised as free activation guides for Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, Discord Nitro, Netflix, and Spotify Premium to lure users into running administrator PowerShell commands that contact slmgr[.]win, download an Aura Stealer variant from Cloudflare Pages, and stage an additional source.exe payload that self-compiles code with csc.exe and injects it in memory.
Show sources
- TikTok videos continue to push infostealers in ClickFix attacks — www.bleepingcomputer.com — 19.10.2025 21:28
- TikTok videos continue to push infostealers in ClickFix attacks — www.bleepingcomputer.com — 19.10.2025 21:28