CopperStealer Malware Attacks Facebook and Instagram Business Accounts

The cybersecurity researchers at Proofpoint have recently issued all the details regarding a new undocumented malware, which is dubbed as “CopperStealer.”

According to the report, the threat actors are spreading this undocumented malware via fake software that continuously destroying the sites and targeting the users of major assistance providers like Google, Instagram, Facebook, Amazon, Apple. 

This undocumented malware, CopperStealer works like the previously identified malware SilentFade, which is a China-backed malware.

The cybersecurity experts concluded that along with Facebook and Instagram business accounts, it was also targeting the other major service providers that include Apple, Amazon, Google, PayPal, Tumblr, and Twitter, just after investigating a sample.

Distribution Methods

After a proper investigation, the cybersecurity analyst of Proofpoint has perceived suspicious websites that are displayed as “KeyGen” or “Crack” sites.

The websites also include “keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net,” which is continuously hosting samples that have remitted various malware issues, which also includes the CopperStealer as well.


These sites promote themselves to endeavor “cracks”, “keygen” and “serials” to bypass the licensing limitations of legitimate software.

Moreover, the security researchers have also recognized these sites eventually contribute Potentially Unwanted Programs/Applications (PUP/PUA) or manage other malicious executables competent for installing and downloading additional payloads.

Data Retrieval of Facebook and Instagram

This new malware has the ability to find and send saved browser passwords, and the following Internet browsers are examined by the researchers particularly for Facebook saved credentials:-

  • Edge
  • Yandex
  • Chrome
  • Opera
  • Firefox

Moreover, when the User Access Token is assembled, the malware demands several API endpoints for Facebook and Instagram so that it can gather more context.


These contexts include a list of friends, any commercial accounts configured for the user, and a full list of pages the user has been conferred access to. 

Major Version Updates

The analysts have affirmed that they have observed more than 80 different versions in the year and half CopperStealer has been grouped and scattered in the wild.

The release of new versions improved in frequency commencing in August 2020 and already stimulated between October 2020 and February 2021, along with various updates that are eventually being released every month.

Dangerous despite lack of sophistication

CopperStealers operates by harvesting passwords that are saved in the Google Chrome, Yandex, Edge, Firefox, and Opera web browsers, as we told.

Not only this but the malware has dropped utilizing CopperStealer’s downloader module which also involves the modular Smokeloader backdoor, and it also accommodates a wide collection of other malicious payloads that are being downloaded from different “URLs.”

Apart from this, the experts believe that CopperStealer isn’t the most treacherous credential/account stealer in survival, just like others it also has the basic capabilities, and its overall impact can be huge.

However, CopperStealer recovers a download configuration from the very common server that is the c2 server, it helps to extract an archive named “xldl.dat,” it generally resembles to be one of the legitimate download manager named Xunlei from Xunlei Networking Technologies Ltd. 

The Copperstealer goes after huge co-operation provider logins that are similar to social media and search engine accounts, as it helps the threat actors or the operators of it to advertise additional malware or other attacks.

Leave a Reply