Cybercriminals have launched a new wave of adversary‑in‑the‑middle (AitM) phishing attacks targeting TikTok for Business accounts, aiming to steal credentials and live session tokens. In parallel, researchers have observed a separate campaign using malicious SVG email attachments that deliver malware with code overlap to the BianLian ransomware family. Together, these incidents highlight how threat actors combine social engineering, web infrastructure abuse, and non‑obvious file formats to bypass traditional defenses.
Why TikTok for Business Accounts Are Prime Targets for Attackers
Corporate TikTok profiles, like branded accounts on other social networks, represent a valuable asset for attackers. Once a business account is compromised, it can be repurposed for malvertising: publishing malicious ads, phishing links, and malware download URLs that appear to come from a trusted brand.
According to research by Push Security, TikTok has repeatedly been abused to distribute information‑stealing malware such as Vidar, StealC, and Aura Stealer. A common pattern mirrors so‑called “ClickFix” schemes: users are shown AI‑generated tutorial videos promising “activation” or “cracked” versions of Windows, Spotify, CapCut, and other software. Links in video descriptions, positioned as necessary installers or patches, in reality deliver infostealers and other malware.
This aligns with broader industry data. The Verizon 2024 Data Breach Investigations Report notes that stolen credentials and social engineering remain among the top initial access vectors, with social media platforms increasingly used to establish trust with victims before redirecting them to malicious content.
Adversary‑in‑the‑Middle Phishing Against TikTok for Business
Social Engineering with Fake TikTok and Google Careers Pages
The TikTok Business phishing campaign typically starts with a phishing email or direct message containing a link to a malicious site. Victims are lured either to a page imitating the TikTok for Business interface or to a website masquerading as Google Careers that offers to “discuss a job opportunity” and schedule a call.
Earlier iterations of this campaign, documented by Sublime Security in late 2025, used emails that closely resembled legitimate outreach from marketing or recruiting teams. By mimicking real collaboration offers or advertising inquiries, the attackers significantly increased click‑through rates and the likelihood that targets would attempt to log in.
Cloudflare Turnstile Abuse and Session Hijacking via AitM
A notable aspect of the current wave is the use of Cloudflare Turnstile, a CAPTCHA‑free bot detection mechanism. On the phishing sites, attackers embed Turnstile to:
1) filter out automated scanners and phishing analysis tools, reducing early detection;
2) ensure that only real human users proceed to the credential harvesting stage.
Once the Turnstile challenge is passed, victims are redirected to an AitM login page that acts as a proxy between the user and the legitimate TikTok authentication endpoint. Instead of a simple cloned form, the proxy relays traffic in real time, allowing the attacker to capture:
• usernames and passwords;
• session cookies and tokens, which can be reused to bypass multi‑factor authentication (MFA) and access the account as if they were the legitimate user.
The phishing infrastructure is typically hosted on recently registered domains themed around advertising, marketing, or careers, such as faux agency names or HR portals. This approach reduces the effectiveness of basic domain reputation checks and static blocklists.
Malicious SVG Attachments and BianLian‑Style Malware
SVG Files as a Stealthy Malware Delivery Vector
Separately, WatchGuard has reported a targeted phishing campaign against users in Venezuela that relies on SVG (Scalable Vector Graphics) attachments. The attached files are named and labeled in Spanish as invoices, receipts, or quotes (for example, factura, recibo, presupuesto), lending them an appearance of routine business correspondence.
When the victim opens the SVG file, embedded code triggers a request to a remote URL, which then serves a malicious executable. To obscure the final destination, attackers chain together the ja.cat URL‑shortening service with an open redirect vulnerability on a legitimate website. In practice, the user believes they are following a link from a trusted domain, while traffic is silently redirected to a malware delivery server.
This technique underscores a critical point: even formats perceived as “safe,” such as SVG images, can contain active content (scripts, embedded URLs) and be abused as the initial stage of a complex infection chain.
Go‑Based Malware with Code Overlap to BianLian Ransomware
The payload delivered in this campaign is a binary written in Go (Golang). WatchGuard analysts have identified multiple similarities with a BianLian ransomware sample documented by SecurityScorecard in January 2024, suggesting either direct code reuse or an evolution of an existing toolkit for a new operation.
The choice of Go is consistent with a broader industry trend. Many ransomware and post‑exploitation tool developers are moving to Go due to its cross‑platform capabilities, performance, and the increased complexity it introduces for reverse engineering compared with traditional C/C++. Families such as BianLian, and others that have re‑implemented components in Go or Rust, illustrate how threat actors continually adapt to make detection and analysis more difficult.
For organizations, this means that standard extension‑based filters (for example, only blocking .exe or .js attachments) are no longer sufficient. As the Venezuelan campaign demonstrates, seemingly benign document or image formats can be leveraged to bootstrap the delivery of sophisticated ransomware or remote‑access tooling.
Against this backdrop of AitM phishing, Cloudflare Turnstile abuse, and SVG‑driven malware, organizations should adopt a multi‑layered defense strategy. Practical measures include hardening social media accounts (TikTok, Instagram, X and others) with strong access controls and FIDO2 hardware security keys or app‑based push MFA instead of SMS codes; continuous security awareness training focused on phishing, fake recruitment offers, and “too good to be true” collaboration requests; advanced email and web filtering with sandboxing for attachments such as SVG, HTML, ISO, and ZIP; and active monitoring of brand accounts for unusual ad campaigns, changed contact information, or suspicious links. Organizations that treat social platforms and unconventional file formats as part of their core attack surface, rather than peripheral risks, will be far better positioned to prevent account takeover and ransomware incidents stemming from these emerging tactics.
