🚨 TikTok Seller US – Observed Auto-Download Behavior (June 2024 – Jan 2026) This post summarizes reproducible observations, collected artifacts, and third-party analysis results related to auto-downloaded files observed while logging into the official TikTok Seller US platform beginning in June 2024. This is not an attribution claim. The goal is documentation and correlation in case others observed similar behavior. 1. Environment & Context • Platform: seller-us[.]tiktok[.]com (official TikTok Seller US) • Login flow: tiktok[.]com → Seller Center → Login with TikTok • Browsers: Google Chrome, Microsoft Edge • Antivirus: Kaspersky (sole engine flagging at the time) • Devices: Primary work computer (bookmarked URL); separate spare laptop (fully updated, manual URL entry) 2. Initial Observation (late June 2024) During login, Kaspersky displayed repeated quarantine pop-ups. After multiple occurrences, detections were identified as: HEUR:Trojan.Script.Generic Detections occurred when: • Logging into Seller Center • Clicking affiliate links inside Seller Central (see profile banner screenshot for log showing seller-us[.]tiktok[.]com and affiliate-us[.]tiktok[.]com subdomains) TikTok support contacted June 28, 2024 (rep response: “this is quite alarming”) 3. Reproduction Same behavior replicated on spare laptop (unused for years, fully updated before testing, manual URL entry) Consistent File 7 Trojan detection across both machines and browsers. 4. Artifacts 11 .blob files auto-downloaded into IndexedDB folder, named sequentially: a, b, c, 2–9. Primary detected files: File 7: c026d2ae1d2439cc7200d0085b955cb0b8a53a80bf9c9585daac129041c4e716 File 8: 8a333b62d5c4580137ccd33ebbecb65b6fae4c45c78007c3becdef6beb95e067 All uploaded to VirusTotal and Hybrid Analysis 5. Capture Session (July 4, 2024) Traces screen recording per Kaspersky request → detection shifted to File 8. Archive permissions altered (SYSTEM user removed). Undetected files disappeared shortly after. System instability observed after session (high data usage notification → mouse unresponsive → forced shutdown required). Clock remained stuck on July 4 when restarted >1 month later. Files reappeared on reboot. 6. Analysis Results Early VT scans (July–Dec 2024): THOR YARA matches on both files (Linux script indicators, Base64/bash combos, Java ProcessBuilder, Through the Wire components). Jan 2026 reanalysis: Match to EXPL_SUSP_JS_POC_Dec25 → indicators from React Server RCE PoC (CVE-2025-55182). 7. Sandbox Behavior (File 7) CAPE/Zenbox: Executed as .hta via mshta.exe. Dropped additional .hta files. Interacted with browser cookies/cache/history. Locale/geofencing checks, anti-VM evasion. Memory contained RCE/XSS payloads with callback attempts to boe-i18n.oast-row.byted-dast[.]com (ByteDance internal DAST subdomain, paths for bash/python/nodejs/groovy/etc.). 8. Related Domains Observed Four .blob files contained references to titkok[.]com • 1a8b473ea7c8139c85cd21e74d3b7f1c7f1d500d791c69fe01fa5e3200d534c0 • dd2f1ae3942d4ea1a78de292220134d23ec52fbcab1ca6f736714750a76dcf22 • f977f1f35f4cc915d93c583804aea111402026629b26d01b28430bcc3eaad98d • 6d5b4e6c24c52cb3cf59f165a5d591d7ce19757fad66f6863917079a1d960e09 iktok[.]com surfaced during Filescan.io analysis of http://tiktok[.]com (OSINT flagged it as a malicious resource, SHA-256 URL: 1ab36b825f349bd687bfcfa07a8baccea8b6312528e06dfe2b369a0eedec379c) Both iktok[.]com and titkok[.]com domains frequently resolve/redirect to survey-smiles[.]com (reported in some OSINT sources as associated with LokiBot infrastructure at 199.59.243[.]228:80). Do not interact with these domains outside isolated environments. 9. Reporting & Response Multiple contacts to @tiktok_us (chat, email, BBB claim) → limited response ("use in-app support"), claim closed. Shared with Kaspersky and a Microsoft contact (who reviewed Hybrid Analysis uploads and requested a VM connection for further analysis). No definitive false-positive confirmation received. 10. Current Status Root cause remains unresolved from my perspective. Artifacts shared for visibility and potential correlation if others have observed similar behavior. 11. Notes I am not a security researcher. This archive reflects personal observations and third-party analysis outputs collected while managing a business seller account.

July 4, 2024 screen recording: Logging into official TikTok Seller US (seller-us-accounts[.]tiktok[.]com/account login flow with “Login with TikTok”) → File 8 detected as Trojan during the Kaspersky trace/recording session. (File 8 auto-downloads at the 1:22 mark)

Critical Security Vulnerability in React Server Components CVE-2025-55182 and rated CVSS 10.0 The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack react.dev/blog/2025/12/03/cr…

Files 7 and 8 match THOR YARA rule EXPL_SUSP_JS_POC_Dec25 → CVE-2025-55182 React2Shell RCE. Still unresolved since July ’24. File 7: c026d2ae1d2439cc7200d0085b955cb0b8a53a80bf9c9585daac129041c4e716 File 8: 8a333b62d5c4580137ccd33ebbecb65b6fae4c45c78007c3becdef6beb95e067

File 7, which auto-downloaded from TikTok Seller and was detected by Kaspersky as a Trojan, was recently executed in VirusTotal’s sandbox: virustotal.com/gui/file/c026… Hash: c026d2ae1d2439cc7200d0085b955cb0b8a53a80bf9c9585daac129041c4e716

I know I’ve been alerting the public about a Trojan auto-downloading from the TikTok Seller website for almost 10 months now. 🤦🏻‍♀️ For context, Kaspersky detected a Trojan after I logged in. I later discovered 10 other .blob files in the same IndexedDB folder that went undetected and eventually disappeared. I reported this issue to TikTok, Kaspersky, and Microsoft right away. The TikTok Seller rep I chatted with at the time said the Trojan was alarming, which made me even more alarmed. They opened a case and said I’d get an email, but I never did. I found two support emails and sent more evidence to TikTok, still no reply. So I filed a BBB claim. TikTok responded only to say they do not support this type of request through the BBB and that I should use their in-app support. I explained that I didn’t feel safe logging into their app or website. They basically repeated the same message, and the BBB closed my claim. I also shared the issue on TikTok’s official Reddit page, and they banned me. As for Kaspersky, they asked me to run traces and a screen recording. I did, but after saving them, I couldn’t open or upload the zip file. I didn’t know why at the time, so I emailed Kaspersky about it and told them that file 8 was detected this time. (not 7) Later, my laptop made a loud noise, and I saw “High Data Usage” for the first time ever. When I tried to scroll toward it, my mouse froze. Thinking my computer might be compromised, I shut it down and removed the battery. I updated Kaspersky, and when they finally responded, they told me to upload the trace files and screen recording to their portal along with file 8, which wasn’t helpful considering the situation. Not long after, news broke that Kaspersky was being banned in the U.S., and I was advised not to trust them. During this time, someone I know at Microsoft’s MSRC reached out. They found the information and code interesting enough to investigate, so they submitted it for analysis, and asked me to connect to a VM for them. I didn’t hear back for months, and now I’m told they’re still skeptical, but also can’t confirm it’s a false positive. I was told that I need to decode the code and show factual, reproducible evidence, but the thing is, I’m not a researcher, I’m just a user. But I’ve gathered concerning indicators using analysis tools, and that should be enough to warrant investigation, especially considering the platform involved. I was also advised to reach out to HackerOne or a bug bounty hunter. But I’m not in this for a bounty. I’m not trying to prove myself as a security researcher. I’m just a deeply concerned user reporting what appears to be an undetected Trojan that auto-downloads after logging into the TikTok Seller US website. I don’t know if the issue has been quietly resolved, but it still hasn’t been publicly acknowledged or confirmed to be a false positive, and that makes me uneasy. Someone even commented over a month ago that it looks like I was part of a botnet for laundering. I can’t prove that, but if true, it’s hard to believe I’m the only one affected by it. From my point of view, this is most likely malware. But if it’s not, I welcome anyone who can help confirm it’s a false positive. Either way, I appreciate you for hearing me out. Even if you’re skeptical, I understand. But cybersecurity is a collaboration, and I’m asking for your help, not just for one user, but for all who could be affected if this is actually malware or part of a botnet.

🚩 File 9, one of 11 .blob files that auto-downloaded after logging into the @tiktok_us Seller website, dropped a dangerous file, ~WRD0002.doc. Hybrid Analysis report from April 6, 2025, shows the most indicators I’ve seen yet, 101 total, including spyware, encryption, network activity, persistence, and evasion. Both files scored 50/100 but were marked clean by antivirus scans, suggesting possible evasion of standard security tools. ~WRD0002.doc (SHA256: bba92ee4de0f4db3d3a8d503ad2a019dfb70132944c4f54f901901dfe2fe72fa): hybrid-analysis.com/sample/b… File 9 (SHA256: 6d5b4e6c24c52cb3cf59f165a5d591d7ce19757fad66f6863917079a1d960e09): hybrid-analysis.com/sample/6…

March 23, 2025 @filescan_itsec report on https://www1[.]survey-smiles[.]com/bIlhWoeSp.js flags https://analytics[.]tiktok[.]com/i18n/pixel/events.js as an IOC. 🔗 filescan.io/uploads/67e0a4d0…

dnssense.com/post/dnssense-h… The article from DNSSense, published on November 12, 2023, and titled “DNSSense has discovered a new type of malicious domain that no other security vendor has yet detected,” delves into the company’s groundbreaking identification of a previously undetected variant of the “Survey-smiles[.]com” malware, a notorious threat that hijacks web browsers by redirecting users to “http://www1.survey-smiles[.]com/” whenever they use the address bar on a new webpage, persisting even with browser add-ons disabled. While most security vendors can block the known Survey-smiles[.]com domain, DNSSense’s AI-powered tool, Cyber X-Ray, uncovered a new evolution of this attack linked to over 650,000 domains, distinguished by their ability to redirect users to varying addresses on each visit and return a “Status Code 400 (Bad Request Error)” with a “survey-smiles[.]com” endpoint when subjected to a HEAD request—traits that had evaded other detection systems. Cyber X-Ray’s innovative, association-based approach analyzes hundreds of security features across internet assets like domains, IPs, and SSL certificates to spot patterns of malicious behavior, setting it apart from traditional blacklist-reliant tools and enabling this unique discovery. The article also highlights a broader trend observed by Cyber X-Ray: a near-100% surge in malicious “[.]ru” (Russia) and “[.]ua” (Ukraine) domains over the prior three months, signaling a rising cyber threat landscape. DNSSense positions this finding as evidence of the limitations of conventional defenses against evolving threats, advocating for proactive, AI-driven solutions like theirs to bolster organizational cybersecurity. By detailing this case, the article not only warns of the adaptability of malware like Survey-smiles[.]com but also underscores DNSSense’s leadership in DNS security, suggesting that their technology fills critical gaps left by other vendors as of November 2023.