Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TikTok activation-guide ClickFix infostealer campaign

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

A TikTok-based ClickFix campaign is using fake free activation guides to deliver info-stealing malware, putting users seeking software activations at risk of credential theft. The operation was observed again in May and October 2025, showing continued activity. Victims are pushed to run a PowerShell command that contacts slmgr[.]win and starts the malware chain.

Related Happenings

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Open Happening

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

Russia-linked DRILLAPP campaign targeting Ukrainian entities

Campaign
First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...

Open Happening

Hive0163 extortion and ransomware campaign using ClickFix and malvertising

Campaign
First: 12.03.2026 19:02 Last: 12.03.2026 19:02 Sources 1

About this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...

Open Happening

Timeline

  1. 19.10.2025 21:28 2 articles · 7mo ago

    TikTok ClickFix infostealer delivery chain

    Technical Analysis Update

    Cybercriminals are using TikTok videos disguised as free activation guides for Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, Discord Nitro, Netflix, and Spotify Premium to lure users into running administrator PowerShell commands that contact slmgr[.]win, download an Aura Stealer variant from Cloudflare Pages, and stage an additional source.exe payload that self-compiles code with csc.exe and injects it in memory.

    Show sources
    Open in new tab