Cybercriminals Exploit TikTok with AI Videos to Infect Devices with Stealers

Cybercriminals are leveraging TikTok’s massive user base to spread information-stealing malware through a novel and effective vector: AI-generated tutorial videos.

Research from TrendMicro reveals that these malicious actors are producing convincing, AI-powered videos purporting to show users how to unlock pirated software.

In reality, the so-called “tutorials” are designed to trick unsuspecting viewers into running PowerShell commands, which then download info-stealers such as Vidar, StealC, and Lumma, directly onto their devices.

These videos are not fringe threats; some have amassed nearly half a million views, highlighting the immense reach and potential impact of this campaign.

While the exact number of compromised users remains unclear, the scale of the operation, as indicated by popular TikTok videos and subsequent malware downloads, raises serious concerns for the security of social media users worldwide.

Malicious Infrastructure

According to Censys Report, the attack infrastructure underpinning this campaign is multifaceted and resilient.

Digging deeper beyond TrendMicro’s initial indicators of compromise (IOCs), further analysis shows that the primary malicious domains (amssh[.]co and allaivo[.]me) have leveraged overlapping IP addresses, notably 91.92.46.76 and 91.92.46.219 both linked to additional PowerShell script variants not previously mentioned.

These scripts, detected openly on exposed web services, referenced different domains and payloads, such as winbox[.]ws, further expanding the malware distribution chain.

Despite many of the central domains going offline, historical DNS and network data provide a window into the attackers’ operations.

Notably, the malicious ecosystem is propped up by a newly registered bulletproof hosting provider, AS214196 (operating as “PrivateNetwork[.]ltd”), which offers anonymous, no-KYC (“Know Your Customer”) virtual servers.

The associated netblocks (91.92.46.0/24 and 166.88.225.0/24) and its unique upstream connection to the equally new AS213887 (“WAIcore”) suggest the attackers are intentionally leveraging networks with minimal oversight and rapid churn.

Incidentally, forensic analysis of the retrieved malware samples and PowerShell scripts has confirmed multiple info-stealing families at play and a broader infrastructure footprint than initially reported.

Dynamic analysis showed that Lumma Stealer samples attempted callbacks to the malicious hosts previously identified by TrendMicro, such as hxxp://91[.]92[.]46[.]70/1032c730725d1721[.]php, and to newly uncovered domains.

New IOCs Expand Understanding of the Campaign

Further investigations into the historical activity of the campaign’s infrastructure unearthed more IPs (147.45.44.233 and 176.98.186.23), alternate versions of the PowerShell scripts, and additional malware delivery URLs.

While some of these hosts are now offline, the cumulative evidence paints a picture of a highly adaptive, opportunistic threat actor using rapid domain and IP rotation to evade detection and takedown.

This campaign exemplifies the growing sophistication of cybercriminals who blend modern AI tools, social engineering, and bulletproof hosting to maximize the effectiveness and persistence of their malware distribution operations.

Security professionals and everyday users alike should remain vigilant, as the abuse of trusted platforms like TikTok for malicious ends becomes increasingly prevalent.

Updated Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.