A trending challenge on social media site TikTok is being manipulated by cybercriminals to implement a huge, ongoing malware campaign. The hackers used TikTok, GitHub and Discord to create a scam that promotes itself, with over 30,000 subscribers so far.

Discord, TikTok and Github used to scam victims on social media. (Photo by Ti Vla/Shutterstock)

A filter on social media app TikTok has been used to tempt tens of thousands of victims to deploy a WASP infostealer through instant messaging app Discord. WASP infostealers can steal credit card information, passwords, cryptocurrency wallets and Discord accounts from a user’s PC. 

‘Invisible body’ scam uses TikTok, Discord and GitHub to deploy malware

TikTok’s “Invisible Challenge” trend has seen millions of users post naked pictures of themselves online using the “invisible body” filter, which edits them out of the video. The #invisiblefilter tag has over 25 million views. Some TikTok users have expressed interest in finding a workaround to the filter so they could expose the naked bodies in the pictures. This interest is being exploited by cybercriminals. 

According to a report by security company Checkmarx, two TikTok users posted videos advertising software that could remove the invisible body filter, with an invite link to join a Discord server called discord.gg/unfilter where links to the software would be provided. The videos attracted over a million views between them. 

Once the user has been lured onto the Discord server, a bot account sends an automatic invite message with a request to access the GitHub repository 420World69/TikTok-Unfilter-Api. This GitHub repository masquerades as an open-source tool to remove the filter, but actually harbours malware. 

“We can’t say the exact number of people who ran the malware, but this is the first time we have seen this type of activity and publicity fly under the radar,” said Guy Nachson supply chain security researcher at Checkmarx.

“What alarms us most is [the] use of legitimate services – TikTok, Discord and GitHub. The attacker uses an open-source malicious code hosted on GitHub, uploaded his project onto GitHub and used a TikTok trend to trick people into using his malicious project. Further, he built a community around his project.”

It seems this attack is ongoing. Whenever the security team deletes his packages, the hacker improvises and creates a new identity, or simply uses a different name, continues the report. “The level of manipulation used by software supply chain attackers is increasing as attackers become increasingly clever,” Nachson told Recorded Future. 

“These attacks demonstrate again that cyberattackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023.”

Read more: Twitter data breach worse than first thought, researchers claim