Tuesday, May 6, 2025
HomeCyber Security NewsUsers of Facebook for Business are the Target of a New Phishing...

Users of Facebook for Business are the Target of a New Phishing Attack

Published on

SIEM as a Service

Follow Us on Google News

An unreported phishing campaign that disseminated a Python version of the NodeStealer has been found.

NodeStealer gave threat actors the ability to steal browser cookies and use them to hijack users’ accounts on the platform, with a focus on business accounts.

The malware was first detected as attacking Windows system browsers in late January 2023. Google Chrome, Microsoft Edge, Brave, and Opera are just a few of the online browsers it may attack.

- Advertisement - Google News

When Palo Alto Networks looked into the developing pattern, it was discovered that there was an unreported campaign that began around December 2022.

An attempt was made to target Facebook business accounts by using a phishing lure that offered tools like spreadsheet templates for businesses.

The NodeStealer variation compiled in July 2022 that Meta analyzed that was built in JavaScript has many similarities to the info stealer delivered throughout the campaign.

The new campaign, however, included two Python-coded variations that had been enhanced with new capabilities to aid threat actors.

These versions were given downloader capabilities, the capacity for the threat actor to take over Facebook business accounts, and the ability to steal cryptocurrency.

“NodeStealer poses a great risk for both individuals and organizations.

Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks”, researchers said.

Deep Dive Analysis Of The Malware

The primary focus of the phishing campaign, which took place in or around December 2022, was businesses’ advertising materials.

The threat actor posted content on several Facebook pages and users to entice victims to click a link from well-known cloud file storage services.

After clicking on it, an a.zip file containing the malicious info stealer executable was downloaded to the computer.

Luring victims to download a malicious link

According to the reports, the first variant discovered supports several capabilities, including the ability to steal credentials from Google Chrome, Edge, Cc Cc, Brave, and Firefox web browsers.

Also,, access a victim’s Facebook Business account, download additional malware, disable Windows Defender via GUI, and steal funds from the MetaMask cryptocurrency wallet.

When malware executes, it connects to https://business.facebook.com/ads/ad_limits/ and looks at the header to see if a Facebook business account is currently signed in to the machine’s default browser.

The malware uses the user ID and access token taken from the header to establish a connection to the Graph API at graph.facebook.com when a Facebook business account is signed in.

NodeStealer takes various kinds of data about the target, such as the number of followers, the state of user authentication, the account credit balance if the account is prepaid, and information about advertisements.

Unit 42 found a second variation that has other functionality, including processing emails from Microsoft Outlook, data exfiltration over Telegram, hijacking a Facebook account, and anti-analysis capabilities.

Unlike the first variation, the second variant does not produce a lot of activity that is evident to the unwary user. The threat actor used the product name “Microsoft Corporation” for this variation.

Difference between the variants

“Both Ducktail and NodeStealer were previously suspected by Meta to originate from threat actors based in Vietnam”, researchers.

As a result, analyzing the two versions showed some unusual malware behavior, including accomplishing considerably more than its initial aims, all of which are likely to improve the threat actor’s potential profit.

Owners of Facebook business accounts are advised to use strong passwords and enable multifactor authentication.

It is recommended to make an effort to educate your organization on phishing strategies, particularly modern, targeted approaches that focus on current events.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...