Photos used in a malvertising campaign that spread the NodeStealer malware
Images used in Facebook ads tied to the NodeStealer malware campaign. Image: Bitdefender

An info-stealer campaign is now targeting Facebook users with revealing photos

Cybercriminals are using Facebook ads to distribute malware and hijack users' social media accounts, researchers have found.

In the so-called malvertising campaign, hackers exploit legitimate tools for online ad distribution and insert infected links into typical advertisements. To entice users into clicking, the campaign offers “provocative enticements” — in this case, lewd images of young women, according to cybersecurity researchers at Bitdefender.

The researchers report that the campaign is intended to deliver a new version of the NodeStealer malware to victims' devices. Some of the photos in the ads seem to have been edited or AI-generated.

NodeStealer is a relatively new info-stealer that, among other things, allows threat actors to steal victims’ browser cookies and take over Facebook accounts.

In a previous campaign, researchers observed hackers using NodeStealer to take over Facebook business accounts and steal money from cryptocurrency wallets. Researchers at Facebook parent Meta said they first identified the malware in January.

In the recent campaign described by Bitdefender, cybercriminals used at least 10 compromised business accounts to run and manage ads distributing the malware to regular Facebook users — primarily men in their 40s and older from Europe, Africa and the Caribbean.

Each click on the ad instantly downloads the malicious executable file to the victim's device. The researchers estimated that nearly 100,000 users downloaded the malware in just 10 days.

It is unclear which hacker group is behind this campaign. The first NodeStealer attacks were attributed to threat actors in Vietnam, who targeted business users through Facebook Messenger.

A NodeStealer variant discovered in the latest campaign is slightly updated, researchers said. It has new features that allow hackers to gain access to additional platforms, such as Gmail and Outlook, and download additional malicious payloads.

Once cybercriminals gain access to users’ browser cookies using the basic features of NodeStealer, they can take over Facebook accounts and access sensitive information, the researchers say.

Then, hackers can change passwords and activate additional security measures on accounts to completely deny access to the legitimate owner, allowing cybercriminals to commit fraud.

“Whether stealing money or scamming new victims via hijacked accounts, this type of malicious attack allows cybercrooks to stay under the radar by sneaking past Meta’s security defenses,” the researchers said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.