Viral TikTok ‘free activation’ videos are a dangerous scam

That viral TikTok offering up free Photoshop activation or a cost-free Windows license isn’t an ingenious hack—it’s a social engineering ploy to gain access to your device and personal information. Attackers are relying on compact, easy-to-share videos that offer step-by-step instructions for persuading people to run potentially dangerous commands on their own personal computers, according to security researchers. The upshot: pilfered passwords, hijacked sessions, and even, in some cases, an entry point for ransomware.

How the ClickFix scam tricks users into running malware

A lot of these clips—which you can count on seeing at this point in the news cycle—fall into a familiar pattern called ClickFix. The author promises to fix a general issue—unlocking your copy of Photoshop, say, or the stream-stopping error code that plagues so many people trying to send computer games to their television—and has you open a PowerShell console with admin rights, paste in some PowerShell one-liner, and hit Enter. That one command discreetly downloads and executes the payload typically named “Updater.exe” or “Activator.exe” to seem harmless.

In one example described by the SANS Internet Storm Center’s Senior Handler, the reported Photoshop patch actually ran Aurora Stealer—a credential-stealing Trojan. In addition to stealing browser logins and system details, such scripts often load more shellcode directly into memory to help evade detection, and pull down further malware, such as remote access tools and ransomware loaders.

Why TikTok is an excellent way to spread disinformation

TikTok’s algorithm favors entertaining, bite-size content and can one moment elevate an unknown account to millions of views. In recent weeks, Trend Micro researchers have discovered networks of faceless profiles publishing “life hacks” that are apparently AI-generated, with voice-overs and seemingly helpful captions. Some of them claimed to enhance Spotify or grant access to premium features; the true magic was a PowerShell command, which unloaded info-stealing payloads such as Vidar and StealC.

Attackers like this approach because the platform offers rapid scale with no need to deal with infrastructure headaches. Just one convincing clip and thousands of obliging viewers to paste in malicious code—all without the need for either email filters, web gateways, or most traditional phishing defenses.

What recent data shows about ClickFix and attack trends

Security teams have observed ClickFix techniques soar. In its most recent Digital Defense report, Microsoft says that since 2024, ClickFix-style guidance represented the initial access for 47% of observed attacks—more than classic phishing and password spraying. For example, SANS analysts warned of TikTok videos with hundreds of likes referring viewers to “fix” or “activate” software through admin-level commands. The engagement doesn’t have to be massive; the conversion rate from curious to compromised is one of the attacker’s benefits.

What you risk by pasting unknown commands as administrator

Invoking an unknown command as admin is the nuclear option for your device. (Among the data sucked up by information stealers: browser passwords, autofill details, authentication cookies, and saved tokens—plenty to sidestep logins and multi-factor protections.) They search for crypto wallets, messaging apps, and cloud credentials. In offices, that foothold could lead to business email compromise or the ability to install ransomware via remote management tools.

Red flags that reveal the TikTok ‘activation’ video scam

• Any “activation free” or “one-line fix” that involves using administrator PowerShell or the Command Prompt.
• Such as activator, crack, KMS, or updater tools without a verified publisher.
• Shortened or obfuscated download links, closed comments, and a brand-new account with high-performing videos.
• Instructions to turn off the antivirus, SmartScreen, or security policies and then run code.

Safer alternatives and defenses to avoid these TikTok scams

Download software only from legitimate sources. Adobe has legal trials and educational pricing, and Windows licenses ought to be from reputable resellers. On the security side, turn on local administrator separation so that daily accounts are not admin, keep SmartScreen and reputable AV on, and update your machine diligently.

In managed environments, restrict PowerShell with Constrained Language Mode, use application control to block unknown executables, and apply attack surface reduction rules. Hardening the browser—by disallowing password storage or migrating to an enterprise password manager—minimizes the effect of info-stealers. Scan your scheduled tasks and startup items, and check to see if they contain any suspicious entries.

Steps to take immediately if you already ran the command

Disconnect from the internet, then scan with up-to-date security software; consider an offline or bootable scanner. From a clean computer, reset the passwords for your emails, cloud services, banking, and anything stored in your browser. Invalidate active sessions where you can, and enable multi-factor authentication.

Look for strange processes, a new scheduled task, and strange programs. If the system contains sensitive data or if you’re in a business context, consider it compromised: back up your critical files, think about doing a full wipe and reinstall of the device, and let your IT team or national cyber authority know. Report the TikTok account you’re busting so that fewer people are ensnared.

The bottom line: never run code from random TikTok videos

There is no free ride to commercial software on social media either. Those “copy and paste” fixes are designed to get you to infect yourself. If a video is telling you to run code in order to unlock Photoshop or Windows, the wisest thing to do is nothing at all.