CP
cyberpings

StealTok Malware - TikTok Downloader Extensions Compromised

A new malware campaign, StealTok, has compromised 130,000 users via fake TikTok downloader extensions. These malicious tools harvest sensitive data. Users are urged to remove these extensions immediately and secure their accounts.

Malware & RansomwareHIGHUpdated: Published:
Featured image for StealTok Malware - TikTok Downloader Extensions Compromised

Original Reporting

CSCyber Security News·Abinaya

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, fake TikTok video downloaders are stealing your data.

What Happened

A massive malware campaign known as StealTok has emerged, involving at least 12 browser extensions that masquerade as TikTok video downloaders. These extensions have been designed to track user activity and harvest sensitive data, affecting over 130,000 users worldwide. Currently, around 12,500 installations remain active across the Google Chrome and Microsoft Edge marketplaces.

How It Works

The attackers employ a highly organized strategy, releasing multiple clones or slightly rebranded versions of the same core extension. This approach ensures resilience; when one extension is identified and removed, a new clone quickly takes its place. Initially, these extensions function legitimately, allowing users to download TikTok videos without watermarks, which builds trust and boosts downloads.

Delayed Capability Injection

One of the most alarming aspects of this campaign is its delayed capability injection. For the first 6 to 12 months, the extensions behave normally, passing initial security checks. After this period, they connect to external command-and-control servers to download new configurations, transforming from harmless tools into sophisticated spyware. Once activated, these extensions gather extensive telemetry data on users, including usage patterns and device information.

Who's Being Targeted

The StealTok campaign targets TikTok users who are looking for video downloading solutions. The malicious extensions have been disguised under names like "TikTok Downloader – Save Videos, No Watermark" and "Mass TikTok Video Downloader", making them appealing to unsuspecting users.

Signs of Infection

Users may notice unusual behavior from their browser, such as unexpected permissions or changes in settings. Additionally, if you have downloaded any extensions related to TikTok video downloading, you may be at risk.

How to Protect Yourself

Security experts recommend removing any suspicious extensions immediately and changing passwords for sensitive accounts. Continuous, behavior-based monitoring is advised to detect any hidden data collection or unexpected activity. Users should also be cautious of extensions that ask for excessive permissions or seem too good to be true.

Conclusion

The StealTok malware campaign highlights a critical vulnerability in browser security. Relying solely on installation-time validation is no longer sufficient. As these extensions evolve post-installation, users must remain vigilant and proactive in managing their online security.

🔒 Pro Insight

🔒 Pro insight: The StealTok campaign exemplifies the evolving threat landscape of browser extensions, necessitating continuous monitoring and adaptive security measures.

CSCyber Security News· Abinaya
Read Original

Share

Related Pings

Preview image for NGate Campaign - Trojanizes HandyPay to Steal NFC Data
Malware & Ransomware
HIGH

NGate Campaign - Trojanizes HandyPay to Steal NFC Data

A new malware campaign is targeting Brazil by trojanizing the HandyPay app to steal NFC data and payment PINs. This raises concerns about NFC fraud as attackers exploit legitimate applications. Users should be cautious when downloading apps and monitor their transactions closely.

THThe Hacker News
Read PingRead Source
Preview image for Gentlemen RaaS - New Ransomware Threat Targets Corporations
Malware & Ransomware
HIGH

Gentlemen RaaS - New Ransomware Threat Targets Corporations

A new ransomware group, 'The Gentlemen,' is targeting corporate networks with cross-platform tools. They've claimed over 320 victims, raising significant security concerns. Organizations must enhance their defenses to combat this emerging threat.

CSCyber Security News
Read PingRead Source
Preview image for NGate NFC Malware - Targets Android Users via Trojanized HandyPay App
Malware & Ransomware
HIGH

NGate NFC Malware - Targets Android Users via Trojanized HandyPay App

A new variant of the NGate malware is exploiting a trojanized version of the HandyPay app to steal NFC payment data from Android users in Brazil. This campaign has been active since November 2025 and utilizes deceptive distribution methods to lure victims.

HNHelp Net Security+1 more
Read PingRead Source
Malware & Ransomware
HIGH

.WAV File - New Malware Delivery Method Discovered

Threat actors are now using .wav files to deliver malware. This new tactic puts users at risk. Stay aware and protect your systems from these threats.

SISANS ISC Full Text+1 more
Read PingRead Source
Preview image for Trojanized TestDisk Installer - Illicit ScreenConnect Deployment
Malware & Ransomware
HIGH

Trojanized TestDisk Installer - Illicit ScreenConnect Deployment

A trojanized TestDisk installer is being used to deploy ScreenConnect, allowing attackers remote access. This poses a significant risk of data theft and unauthorized control. Stay vigilant against such threats.

SCSC Media
Read PingRead Source
Preview image for Gh0st RAT and CloverPlus Adware - New Dual-Payload Malware
Malware & Ransomware
HIGH

Gh0st RAT and CloverPlus Adware - New Dual-Payload Malware

A new malware campaign is delivering both Gh0st RAT and CloverPlus adware simultaneously. This dual threat allows attackers to control systems and generate revenue. Security teams must enhance their defenses against this evolving threat.

CSCyber Security News
Read PingRead Source