← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
TikTok Videos Promoting Malware Installation
WHITE AlienVault 2025-10-21 Modified: 2025-10-21
11
IOCs
MEDIUM VOLUME
Attackers are exploiting TikTok videos to distribute malware, disguising it as free software activations. The campaign uses social engineering techniques to trick users into executing malicious PowerShell code. The malware downloads additional payloads, including AuroStealer, and establishes persistence through scheduled tasks. One payload employs a self-compiling technique, generating code to inject shellcode into memory. Multiple TikTok videos have been identified as part of this campaign, targeting different software products. The attack leverages the ClickFix technique and has gained traction with hundreds of likes on the platform.
scheduled tasksself-compilingtiktokpowershellsocial engineeringaurostealershellcode injection
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
AuroStealer
Indicators of Compromise (11)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0205b1b8c5564acfb55991eeb19bce58 2025-10-21
FileHash-MD5 6a113d6b42421c9e6edc0fb2abcfcb76 2025-10-21
FileHash-MD5 f631a96c57b07830d42f1ff4c88ed3d3 2025-10-21
FileHash-SHA1 39c0e9ce5bf5ef64e546d1acfea88dd245723aa4 2025-10-21
FileHash-SHA1 afab5f1fed0760e4b7b8e34974f2e5fcfae63477 2025-10-21
FileHash-SHA1 e295d4740de0db39f1a286bcff416c28530524a7 2025-10-21
FileHash-SHA256 58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8 2025-10-21
FileHash-SHA256 6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23 2025-10-21
FileHash-SHA256 db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011 2025-10-21
URL http://slmgr.win/photoshop 2025-10-21
domain slmgr.win 2025-10-21
References (1)
↗ https://isc.sans.edu/diary/32380