Tech Insight : Malware That Exploits Facebook Ads

In this insight, in reviewing how a malvertising campaign is hijacking Facebook accounts to spread the SYS01stealer malware, we examine the tactics used, plus we look at the impact on businesses and steps organisations can take to protect themselves. 

Exposed By Bitdefender 

Bucharest-based cybersecurity company Bitdefender has recently exposed a sophisticated malvertising campaign that leverages Facebook to distribute the SYS01stealer malware. The campaign targets Meta Business accounts with the goal of hijacking them and capturing sensitive user data. Bitdefender reports that this campaign uses deceptive Facebook ads that mimic well-known brands to drive users towards the malicious downloads. This campaign is notable because it highlights both the growing scale of malvertising threats and the advanced tactics now being used by cybercriminals. 

What Is Malvertising? 

Malvertising, or “malicious advertising,” is a cyber tactic where attackers use online ads to redirect users to malicious websites or deceive them into downloading malware, often bypassing traditional security measures. These ads often appear on reputable sites and social media platforms, mimicking popular software, streaming services, or applications, making it difficult for users to distinguish between legitimate and malicious content. Once clicked, the ads lead users to sites that prompt a malware download. This approach is highly effective because the ads blend seamlessly with genuine content, allowing campaigns like the SYS01stealer to exploit trusted brands and reach a wide audience undetected. 

The SYS01stealer Malware 

At the heart of this particular campaign is the SYS01stealer malware, which is a type of infostealer malware specifically engineered to harvest sensitive data from compromised devices. However, unlike more traditional infostealers, SYS01stealer’s primary focus is on accessing Meta Business accounts, especially those linked to Facebook, as it can use these accounts to propagate further malware. As a Bitdefender researcher explains, “The SYS01stealer malware has become a central weapon in this campaign, effectively targeting victims across multiple platforms,” illustrating its effectiveness in reaching a global audience. 

What Does It Steal And Why? 

The malware aims to capture login credentials, browser cookies, browsing history, and other data stored on the compromised device. However, it is particularly focused on Facebook credentials, especially those for business accounts, which are highly valuable in the digital underground. For example, once the hackers gain access to a business account, they can use it to launch further malicious ads that spread the malware to an even larger audience. This tactic not only widens the scope of the attack but also enables cybercriminals to operate under the radar, as the malicious ads come from legitimate Facebook accounts, reducing the chance of detection by platform moderators. 

Techniques and Methods Used in the Campaign 

The SYS01stealer malware is delivered through a malicious ElectronJS application embedded within a .zip archive. The ads direct users to a download link, typically hosted on a file-sharing service, where they can access what appears to be popular software, such as CapCut (a video editing app), Microsoft Office, or Netflix. When the user downloads and opens the file, an ‘Electron’ application is extracted, containing JavaScript code designed to deploy the malware covertly. 

To maintain its deception, the malware runs a decoy application in the foreground that appears to function as expected, distracting the user from the background activity. However, behind the scenes, the Electron app executes PowerShell commands to install SYS01stealer and activate its infostealing functions. As Bitdefender notes on its website, “In many cases, the malware runs in the background while a decoy app—often mimicking the ad-promoted software—appears to function normally, making it difficult for the victim to realise they’ve been compromised.” 

Anti-Sandbox Measures 

To further evade detection, the malware employs anti-sandbox measures to avoid being analysed by cybersecurity tools (a sandbox safely isolates and tests suspicious software). For example, it checks the system’s GPU model against a list of well-known GPU models and, if it detects a sandboxed environment, the malware will not activate. This level of sophistication makes SYS01stealer especially dangerous, as it can remain hidden from security tools and analysts who rely on sandboxed environments to study and intercept malware. 

Scope and Reach of the Malvertising Campaign 

Bitdefender’s research reveals that this campaign has “global” reach, with millions of potential victims across Europe, North America, Asia, and Australia. The campaign primarily targets men aged 45 and older, but its broad distribution means that any Facebook user could potentially encounter these malicious ads. 

Uses Well-Known Brands 

In the ads used to draw victims in, the hackers impersonate widely recognised brands, including productivity tools, video editing software, VPNs, streaming platforms, and video games. According to Bitdefender, “The widespread impersonation increases the likelihood of drawing in a broad audience, making the campaign highly effective.” 

Also Uses Malicious Domains 

The campaign also relies on a network of nearly 100 malicious domains to host the malware and facilitate command-and-control (C2) operations. This infrastructure enables the attackers to manage the campaign in real-time, allowing them to update payloads, evade detection, and ensure the malware reaches as many devices as possible. With each compromised Facebook Business account, the hackers stand to gain a new vehicle for distributing additional ads, further amplifying the reach of the campaign without needing to create new accounts. 

Dynamic 

In this particular campaign, it seems that the adaptability of the attackers, i.e. continuously updating their tactics, is playing an important role in helping them to circumvent detection. For example, when cybersecurity firms detect and block one version of the malware, the hackers modify the code, enhance obfuscation methods, and relaunch new ads with updated versions. This dynamic approach allows them to maintain a persistent presence on Facebook and other platforms, reaching new victims daily. 

The Business Model Behind the Attack 

Bitdefender has highlighted how the success of the SYS01stealer campaign is driven by a structured cybercriminal business model that makes the operation self-sustaining. As mentioned earlier, the key objective of SYS01stealer is to acquire Facebook credentials, particularly those linked to business accounts.  

By gaining access to Facebook’s advertising tools through compromised accounts, cybercriminals can create new, seemingly legitimate ads without arousing suspicion. These ads appear to be from real, verified business accounts, making it easier for the malware to bypass Facebook’s security filters. This tactic enables the attackers to expand their reach exponentially, reaching more victims with each wave of malicious ads. The hijacked accounts, therefore, are critical in scaling up the campaign, allowing each compromised account to be repurposed for promoting new ads without needing to create new accounts. 

The Dark Web 

Aside from promoting additional malicious ads, the cybercriminals can also monetise stolen credentials by selling them on dark web marketplaces. Facebook Business accounts, in particular, hold high value due to their advertising potential, making them a prime target for hackers. For example, the stolen personal data, including login credentials, financial information, and security tokens, can be sold to other malicious actors who may use it for identity theft or other crimes. This creates a revenue stream for the attackers, with each new victim providing potential financial gain. 

How Can You Protect Yourself and Your Business? 

Given the scope and sophistication of the SYS01stealer campaign, organisations should really adopt proactive measures to protect themselves and their users. Some key recommendations include: 

– Scrutinise online ads. Users should be cautious about clicking on ads that offer free downloads or suspiciously enticing offers. Verifying the legitimacy of the source before interacting with ads is a good approach. 

– Download software from official sources. It’s safest to always obtain software directly from the official website rather than through third-party platforms or file-sharing sites. 

– Install and update security software. Having robust antivirus software that is up to date and capable of detecting evolving threats like SYS01stealer is essential (for both individuals and organisations). 

– Enable two-factor authentication (2FA). Enabling 2FA, particularly on business accounts, provides an additional layer of security if credentials are compromised. 

–  Monitor your Facebook business accounts. Regularly check business accounts for unauthorised activity. If any suspicious activity is detected, it should be reported to Facebook immediately, and login credentials should be updated. 

Phishing Campaigns Misusing Eventbrite 

Similar tactics have been observed in phishing campaigns targeting popular ticketing platform Eventbrite. It appears that cybercriminals have been creating fake events to embed phishing links and distributing invitations through Eventbrite’s trusted domain to trick users into providing personal or financial information. 

These attacks have reportedly exploited Eventbrite’s legitimate email system, sending phishing messages from its verified domain (noreply@events.eventbrite.com), making them appear credible and helping them bypass spam filters. In this campaign, hackers are reported to have been impersonating well-known brands such as DHL or EnergyAustralia, and setting up fake events designed to prompt immediate action, such as confirming delivery details or paying an outstanding bill. When victims have clicked the embedded links, they’ve been redirected to phishing sites that mimic legitimate platforms, tricking them into handing over sensitive details like login credentials and payment information. 

This exploitation of a trusted platform like Eventbrite reflects a broader trend in cybercrime, where attackers use legitimate services to enhance the credibility of their schemes. Much like the SYS01stealer campaign, these phishing attacks demonstrate the need for increased vigilance and robust cybersecurity measures. Organisations and users alike may therefore be well advised to remain cautious of unsolicited communications, even when they appear to come from trusted sources. 

What Does This Mean For Your Business? 

The SYS01stealer campaign highlights the growing risks in digital advertising and demonstrates the need for businesses across all sectors to strengthen their cybersecurity awareness and practices. This attack shows how sophisticated cybercriminals have become in exploiting familiar platforms like Facebook to distribute malware, and it signals the importance of a comprehensive security approach that extends beyond conventional defences. 

For businesses, especially those using social media for marketing and engagement, this campaign emphasises the need for vigilance with social media accounts, particularly business accounts that might be targeted for hijacking. Any company using Facebook Business for ads or promotions should see this as a call to fortify account security through practices such as two-factor authentication and regular account monitoring. Given that cybercriminals are using these accounts to disguise malicious ads as legitimate, companies should also ensure that team members handling social media are aware of potential threats and know how to detect signs of unauthorised access or unusual activity. 

Beyond internal protections, businesses also rely on platforms like Facebook to enforce stricter security protocols and help prevent misuse. Many believe that platforms like Facebook, Google, and LinkedIn, frequent targets for malvertising, should seriously consider refining their ad vetting processes and developing more advanced AI-based filters to detect suspicious ads before they reach users. By improving detection of malicious campaigns and monitoring account access patterns, these platforms could help prevent cybercriminals from using legitimate ads to lure unsuspecting victims. 

For smaller businesses, which may have fewer resources for dedicated cybersecurity measures, these platform-level protections are especially critical. Facebook, for example, could offer enhanced ad review processes for business accounts and provide clearer tools for reporting suspicious ads or account activity. These efforts, coupled with ongoing cybersecurity education initiatives, would give businesses more support in protecting themselves and their customers. 

Ultimately, the SYS01stealer campaign reminds businesses across sectors to treat cybersecurity as a core component of customer trust and operational resilience. By enhancing their defences, staying alert to new threats, and collaborating with the platforms they use, businesses can better navigate the growing risks of the digital landscape while safeguarding both their assets and their reputation. This broad approach should help create a safer ecosystem, benefiting organisations, platforms, and users alike.