Over 10,000 harmful TikTok Shop websites are targeting users to obtain login details and distribute malware.

A sophisticated cybercriminal campaign known as “ClickTok” has emerged as a significant threat to TikTok Shop users globally. Researchers have identified over 10,000 malicious domains aimed at stealing user credentials and deploying advanced spyware. This campaign marks a notable escalation in e-commerce-focused cyberattacks, merging traditional phishing techniques with innovative malware distribution to exploit the rising popularity of TikTok’s in-app shopping platform. The threat actors behind ClickTok have devised a dual-pronged attack strategy that targets both regular shoppers and participants in TikTok’s affiliate program. The campaign utilises deceptive replicas of legitimate TikTok Shop interfaces, misleading users into believing they are engaging with official platform features. Fraudulent sites extend beyond mere TikTok Shop impersonation to include fake versions of TikTok Wholesale and TikTok Mall, creating a comprehensive ecosystem of malicious storefronts designed to maximise victim engagement.

CTM360 analysts first identified the ClickTok campaign in August 2025, revealing its sophisticated nature that exploits the trust users place in TikTok’s brand and the financial incentives associated with affiliate marketing programs. Researchers discovered that threat actors are distributing their malicious payload through over 5,000 distinct app download sites, employing embedded download links and QR codes to facilitate widespread distribution of trojanised applications. The attack methodology involves creating lookalike domains using low-cost top-level domains such as .top, .shop, and .icu, which serve dual purposes: hosting phishing pages for credential theft and distributing malicious applications. These domains are often hosted on shared or free hosting services, making them both cost-effective for attackers and challenging for defenders to track comprehensively. The campaign’s global reach extends far beyond the 17 countries where TikTok Shop is officially available, targeting users worldwide through AI-generated content and fake social media advertisements. The malicious applications distributed in this campaign deploy a variant of the SparkKitty spyware, establishing persistent communication with attacker-controlled infrastructure. Decompilation of the malware reveals hardcoded command and control servers, indicating either an immature threat actor or early-stage development, as more sophisticated malware typically employs dynamic C2 rotation techniques.