Sunday, May 11, 2025
HomeCyber Security NewsPython NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

Published on

SIEM as a Service

Follow Us on Google News

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced techniques, whereas recent variants focus on stealing Facebook Ads Manager budget details, potentially enabling malicious ad campaigns. 

Now they pilfer credit card information alongside browser credentials, and to bypass security measures, the malware utilizes Windows Restart Manager to unlock browser databases and incorporates obfuscation techniques like junk code. 

Additionally, it makes use of batch scripts in order to dynamically generate and execute the Python script, which adds an additional layer of complexity to its operations.

- Advertisement - Google News

A new variant of NodeStealer malware targets Facebook Ads Manager accounts in addition to Facebook Business accounts, which steals login credentials, cookies and leverages them to generate access tokens via the Facebook Graph API. 

Routine to collect Facebook Ads Manager token

The malware then collects detailed information on the compromised account, including ID, name, currency, spending limits, and spending history.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Interestingly, it avoids targeting Vietnamese users by checking the victim’s IP address and exiting if it detects a Vietnam location, suggesting Vietnamese attackers target users outside their country to evade local law enforcement. 

The Python NodeStealer leverages Windows Restart Manager to unlock browser database files, enabling the theft of sensitive information, which involves registering database files with Restart Manager and using the `RmShutdown` function to terminate processes locking these files. 

Routine to unlock browser database files

The malware also extracts credit card information from the “Web Data” SQLite database, which stores autofill data and saved payment methods.

By querying this database, the attacker can obtain crucial financial details like cardholder name, expiration date, and card number.

NodeStealer variants have evolved to employ more sophisticated persistence techniques, as they now leverage the current user’s run registry key to achieve auto-start on system boot, bypassing traditional startup folder methods. 

Dynamic generation via batch file

To evade detection, these variants incorporate extensive junk code to obfuscate the malicious script, and dynamic generation through batch files is used to assemble and execute the Python infostealer locally, eliminating the need for external downloads. 

According to Netskope, stolen data continues to be exfiltrated via Telegram, with the addition of system information like IP address, country, and hostname to the payload.

Recent Python NodeStealer variants have emerged, targeting Facebook Ads Manager and credit card data by employing distinct techniques compared to previous versions. 

To mitigate these threats, security teams should implement enhanced detection, prevention, and hunting strategies tailored to these specific tactics.

Organizations can effectively protect their systems and sensitive data by staying informed about the latest techniques used by these malware variants.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Sophisticated PhaaS Phish Toolkits are Now Genetrating Realistic Fake Phishing Pages

Cybersecurity experts are raising alarms over the proliferation of increasingly sophisticated phishing techniques that...

Critical Azure and Power Apps Vulnerabilities Allow Attackers to Exploit RCE

Microsoft has patched four critical security vulnerabilities affecting its Azure cloud services and Power...

How to Detecting Backdoors in Enterprise Networks

In today’s rapidly evolving cybersecurity landscape, enterprise networks face a particularly insidious threat: backdoors,...

Securing Windows Endpoints Using Group Policy Objects (GPOs): A Configuration Guide

Securing Windows endpoints is a top priority for organizations seeking to protect sensitive data...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Sophisticated PhaaS Phish Toolkits are Now Genetrating Realistic Fake Phishing Pages

Cybersecurity experts are raising alarms over the proliferation of increasingly sophisticated phishing techniques that...

Critical Azure and Power Apps Vulnerabilities Allow Attackers to Exploit RCE

Microsoft has patched four critical security vulnerabilities affecting its Azure cloud services and Power...

Bluetooth Core 6.1 Released – What’s New!

Bluetooth SIG’s decision to transition to a bi-annual release cadence marks a strategic pivot...