AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion
Threat actors are using adversary-in-the-middle (AitM) crime pages to seize control of TikTok Business accounts in a new campaign, according to a report from Push Security.
Business accounts associated with social networks are a very lucrative target, as they can be used by bad actors to commit malicious acts and spread malware.
“TikTok has historically been abused for distributing malicious links and social engineering commands,” Push Security said. “This includes many infostealers such as Vidar, StealC, and Aura Stealer that are delivered via ClickFix-style instructions with AI-generated videos inserted as opening instructions for Windows, Spotify, and CapCut.”
The campaign begins by tricking victims into clicking on a malicious link that directs them to a TikTok-like Business page or a page designed to pretend to be Google Careers, along with the option to schedule a call to discuss the opportunity.
It is worth noting that the previous iteration of this criminal campaign was marked by Sublime Security in October 2025, with emails posing as access messages used as a social engineering tactic.
Regardless of the type of page being served, the end goal is the same: perform a Cloudflare Turnstile check to prevent bots and automated scanners from analyzing the page’s content and provide a malicious AitM phishing login page designed to steal their information.
Phishing pages are hosted on the following domains –
- welcome.work screws[.]com
- welcome.careerstaffer[.]com
- welcome.careersworkflow[.]com
- welcome.careerstransform[.]com
- welcome.careersupskill[.]com
- you are welcome.work success[.]com
- welcome.careersstaffgrid[.]com
- welcome.career development[.]com
- you are welcome.farmer[.]com
- you are welcome.work[.]com
- welcome.work screws[.]com
The development comes as another phishing campaign has been spotted using Scalable Vector Graphics (SVG) file attachments to deliver malware to targeted locations in Venezuela.
According to a report published by WatchGuard, the messages contain SVG files with file names in Spanish, impersonating invoices, receipts, or budgets.
“When these malicious SVGs are opened, they connect to a URL that downloads a malicious artifact,” the company said. “This campaign uses ja.cat to shorten URLs from legitimate vulnerable domains that allow redirects to any URL, thus pinpointing the actual domain from which the malware is downloaded.”
The downloaded artifact is a malware program written in Go that shares overlap with the BianLian ransomware sample described by SecurityScorecard in January 2024.
“This campaign is a stark reminder that even seemingly innocuous file types like SVGs can be used to deliver serious threats,” WatchGuard said. “In this case, a malicious SVG attachment was used to launch a series of phishing attacks that led to the delivery of malware associated with BianLian’s work.”
