In a new campaign, threat actors are leveraging adversary-in-the-middle (AitM) phishing pages to seize control of TikTok for Business accounts, according to a report from Push Security.
Business accounts associated with social media platforms are lucrative targets because they can be weaponized by malicious actors for malvertising and malware distribution.
“TikTok has historically been exploited to distribute malicious links and social engineering instructions,” Push Security said. “This includes multiple information theft tools such as Vidar, StealC, and Aura Stealer, delivered through ClickFix-style instructions with AI-generated videos presented as activation guides for Windows, Spotify, and CapCut.”
The campaign begins by tricking victims into clicking on a malicious link, which leads them to either a lookalike page impersonating TikTok for Business or a page designed to impersonate Google Careers. You also have the option to schedule a call to discuss the opportunity.
Notably, a previous iteration of this credential phishing campaign, reported by Sublime Security in October 2025, involved emails disguised as outreach messages used as a social engineering tactic.
Regardless of the type of page provided, the end goal is the same. Runs Cloudflare Turnstile checks to block bots and automated scanners from analyzing the page’s content and provide login pages for malicious AitM phishing pages designed to steal credentials.
The phishing page is hosted on the following domain:
welcome. carrier screw[.]com welcome.careerstaff[.]com Welcome. career workflow[.]com welcome.careerstransform[.]com Welcome. career advancement skills[.]com Welcome. career success[.]com welcome.careersstaffgrid[.]com Welcome. career progress[.]com welcome.careersgrower[.]com welcome.careersengage[.]com welcome.careerscrews[.]com
This development comes after another phishing campaign was observed using Scalable Vector Graphics (SVG) file attachments to deliver malware to targets located in Venezuela.
According to a report published by WatchGuard, the messages contain SVG files with Spanish filenames and are disguised as invoices, receipts, or budgets.
“When these malicious SVGs are opened, they communicate with URLs that download malicious artifacts,” the company said. “This campaign uses ja.cat to shorten URLs from legitimate domains with vulnerabilities that allow redirection to arbitrary URLs, thus pointing to the domain from which the malware is downloaded.”
The downloaded artifact is malware written in Go and duplicates the BianLian ransomware sample detailed by SecurityScorecard in January 2024.
“This campaign is a stark reminder that even seemingly innocuous file types like SVG can be used to pose serious threats,” WatchGuard said. “In this case, a malicious SVG attachment was used to initiate a phishing chain, leading to malware delivery related to BianLian activity.”
Source link
