AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion - The Hacker News

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion Ravie LakshmananMar 27, 2026Ransomware / Malware Threat actors are using adversary-in-the-middle (AitM) phishing pages to seize control of TikTok for Business accounts in a new campaign, according to a report from Push Security. Business accounts associated with social media platforms are a lucrative target, as they can be weaponized by bad actors for malvertising and distributing malware. "TikTok has been historically abused to distribute malicious links and social engineering instructions," Push Security said. "This includes multiple infostealers like Vidar, StealC, and Aura Stealer delivered via ClickFix-style instructions with AI-generated videos posed as activation guides for Windows, Spotify, and CapCut." The campaign begins with tricking victims into clicking on a malicious link that directs them to either a lookalike page impersonating TikTok for Business or a page that's designed to impersonate Google Careers, along with an option to schedule a call to discuss the opportunity. It's worth noting that a prior iteration of this credential phishing campaign was flagged by Sublime Security in October 2025, with emails masquerading as outreach messages used as a social engineering tactic. Regardless of the type of page served, the end goal is the same: perform a Cloudflare Turnstile check to block bots and automated scanners from analyzing the contents of the page and serve a malicious AitM phishing page login page that's designed to steal their credentials. The phishing pages are hosted on the following domains - welcome.careerscrews[.]com welcome.careerstaffer[.]com welcome.careersworkflow[.]com welcome.careerstransform[.]com welcome.careersupskill[.]com welcome.careerssuccess[.]com welcome.careersstaffgrid[.]com welcome.careersprogress[.]com welcome.careersgrower[.]com welcome.careersengage[.]com welcome.careerscrews[.]com The development comes as another phishing campaign has been observed using Scalable Vector Graphics (SVG) file attachments to deliver malware to targets located in Venezuela. According to a report published by WatchGuard, the messages have SVG files with file names in Spanish, masquerading as invoices, receipts, or budgets.  "When these malicious SVGs are opened, they communicate with a URL that downloads the malicious artifact," the company said. "This campaign uses ja.cat to shorten URLs from legitimate domains that have a vulnerability that allows redirects to any URL, so they point to the original domain where the malware is downloaded." The downloaded artifact is a malware written in Go that shares overlaps with a BianLian ransomware sample detailed by SecurityScorecard in January 2024. "This campaign is a strong reminder that even seemingly harmless file types like SVGs can be used to deliver serious threats," WatchGuard said. "In this case, malicious SVG attachments were used to initiate a phishing chain that led to malware delivery associated with BianLian activity." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CloudFlare, cybersecurity, Infostealer, Malware, Phishing, ransomware, social engineering, TikTok Trending News Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Load More ▼ Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Fix Security Noise by Focusing Only on Validated Exposures Get the 2026 ASV Report to Benchmark Top Validation Tools