HomeNewsNodeStealer Targeting Facebook Business accounts and Crypto Currency Wallets
Cyber security researchers at Palo Alto Unit 42 have discovered a new Python version of the NodeStealer that can take over Facebook Business Accounts. Based on the available data, the primary way the data stealer spread was through a phishing campaign that occurred in December 2022. In this campaign, two data stealer versions, Variant #1 and Variant #2, were delivered. The campaign’s focus was to deceive people with business advertisements. The attackers utilised various Facebook pages, and user accounts to post enticing information, leading victims to download a link from familiar cloud file storage services. Once they clicked on the link, a .zip file containing the harmful data stealer program was downloaded to their computer.
Figure 1 – Facebook post with the zip file link
Variations
Variation #1
The first variation of the data stealer was called word.exe, and it had the following features;
Stealing Facebook Business Account Information
Downloading Additional Malware
Disabling Windows Defender via GUI
MetaMask Theft
Figure 2 – Variation #1
Variation #2
The second variation of the data stealer was called MicrosoftOffice.exe, and it had the following features;
Taking over the stolen Facebook accounts
Reading emails
Anti-Analysis and Anti VM
Figure 3 – Variation #2
The variations share some of their features but differ in some areas. See below the differences between the variants:
Figure 4 – Variations diagram
The suspected threat actor behind this campaign has Vietnamese origins and equipped the new variants with capabilities to steal crypto currencies, function as downloaders, and fully take over Facebook Business Accounts. The consequences of this malware can be severe for both individuals and organisations, leading to financial losses and damage to their reputations.
To combat this threat, we urge all organisations to review their security policies and take note of the indicators of compromise provided in Unit 42’s report. For Facebook Business Account owners, using strong passwords and enabling multifactor authentication is crucial to enhance security. Additionally, educating your organisation on phishing tactics, particularly modern and targeted approaches that exploit current events, business needs, and other appealing topics, is essential to stay vigilant against such attacks.
Starting in mid-July 2025, Microsoft will begin automatically blocking legacy authentication protocols in Microsoft 365, with full enforcement expected by August 2025. This update addresses…
A critical security vulnerability discovered in Microsoft 365 Copilot highlights that there is a risk associated with AI-powered business tools that we must continue to…
Microsoft has released its June 2025, Patch Tuesday security updates addressing 66 vulnerabilities across its software ecosystem. This month’s release includes one actively exploited zero-day…