Cloudflare Evasion: How Phishing Targets TikTok Business Accounts Through Turnstile Tactics

Threat Actors Exploit AitM Phishing Pages to Hijack TikTok for Business Accounts

Bad actors are utilizing adversary-in-the-middle (AitM) phishing pages to take control of TikTok for Business accounts in a new attack, as reported by Push Security.

Business accounts linked to social media platforms are attractive targets for malicious activities, including malvertising and malware distribution.

Push Security stated, “TikTok has been misused in the past to spread malicious links and social engineering instructions.” The misuse involves various infostealers like Vidar, StealC, and Aura Stealer, which are delivered through ClickFix-style instructions using AI-generated videos posing as activation guides for Windows, Spotify, and CapCut.

The campaign commences by luring victims to click on a malicious link leading them to either a fake page impersonating TikTok for Business or a page mimicking Google Careers, offering an option to schedule a call for further discussion.

It’s important to highlight that Sublime Security had previously identified a similar credential phishing campaign in October 2025, where emails pretending to be outreach messages were used as part of the social engineering strategy.

Irrespective of the type of page displayed, the ultimate objective remains consistent: conduct a Cloudflare Turnstile check to deter bots and automated scanners, and present a malicious AitM phishing page login designed to steal user credentials.

The phishing pages are hosted on the following domains:

• welcome.careerscrews[.]com
• welcome.careerstaffer[.]com
• welcome.careersworkflow[.]com
• welcome.careerstransform[.]com
• welcome.careersupskill[.]com
• welcome.careerssuccess[.]com
• welcome.careersstaffgrid[.]com
• welcome.careersprogress[.]com
• welcome.careersgrower[.]com
• welcome.careersengage[.]com
• welcome.careerscrews[.]com

Meanwhile, a separate phishing campaign has been detected using Scalable Vector Graphics (SVG) file attachments to distribute malware to targets in Venezuela.

WatchGuard’s report revealed that the malicious messages contain SVG files with Spanish file names, posing as invoices, receipts, or budgets.

When opened, these malicious SVGs establish communication with a URL that downloads the malware. The campaign employs ja.cat to shorten URLs from legitimate domains vulnerable to redirects, leading to the original domain hosting the malware.

The downloaded malware is written in Go and shares similarities with a BianLian ransomware sample identified by SecurityScorecard in January 2024.

WatchGuard emphasized, “This campaign serves as a stark reminder that seemingly innocuous file types like SVGs can be leveraged to deliver dangerous threats.” In this instance, malicious SVG attachments initiated a phishing chain resulting in malware delivery associated with BianLian activity.