Facebook Business Pages Hijacked in SYS01 Infostealer-Distributing Malvertising Campaign

Published
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor
Created using Copilot | Powered by DALL.E 3

A sophisticated malvertising campaign leveraging Meta’s advertising platform to deceive users into downloading the SYS01 InfoStealer malware via impersonating well-known brands, such as software tools related to productivity, video or photo editing, VPNs, movie streaming services, instant messaging apps, and even video games.

According to the latest security research from BitDefender, this campaign has been active for over a month and sees cybercriminals impersonating popular brands like Capcut, Canva, Adobe Photoshop, ExpressVPN, VPN Plus, Netflix, Telegram, Super Mario Bros Wonder, Black Myth: Wukong, and more.

At the core of SYS01 Infostealer's operation is the objective to harvest Facebook credentials, particularly those linked to Facebook Business accounts. Once cybercriminals gain access, they leverage these accounts not only to compromise personal data but also to propagate further attacks through hijacked platforms. 

These compromised accounts serve as conduits for launching additional malicious ads without raising immediate red flags, as they appear legitimate and evade standard security filters.

Source: BitDefender

When using the fake video games ads, the threat actor either directly offered malicious samples via advertisements or reused malicious domains that impersonated a generic video game download platform.

The ads typically point or refer to a MediaFire link for the direct download of malware in a .zip archive that contains an Electron application, and the infection method they use is always the same, employing the Electron-embedded Javascript code to drop and execute malware.

To avoid detection, the hackers continuously adapt their tactics, updating malware versions and launching new ads. The malware employs sandbox detection to halt operations if analyzed in controlled environments, making it challenging for cybersecurity tools to discover.

Source: BitDefender

By utilizing hijacked Facebook business accounts, threat actors can exponentially scale their operations. Each compromised account is repurposed to disseminate further malicious ads, allowing the attack to expand its reach without the need to create fresh accounts manually. 

This strategy is both cost-effective and time-efficient, enabling cybercriminals to maintain operational stealth and avoid traditional detection methods such as email phishing campaigns.

Beyond promoting malicious campaigns, cybercriminals monetize their efforts by selling harvested credentials on underground marketplaces. Facebook Business accounts are particularly valuable, providing a lucrative source of income. 

Furthermore, stolen personal information—including login credentials, financial data, and security tokens—can be sold to other malicious entities, potentially fueling identity theft and other cybercrimes.

Utilizing nearly 100 malicious domains and a malvertising strategy that is evolving daily, the attack has a global reach, potentially affecting millions across regions such as the EU, North America, Australia, and Asia. Despite limited transparency from Meta outside the EU, the scale of the attack is concerning.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: