A recent analysis by Netskope Threat Labs has identified a new variant of the NodeStealer malware that is specifically targeting Facebook Business accounts in Southern Europe and North America. This malware focuses on victims in the manufacturing services and technology sectors and aims to steal cookies and passwords from web browsers, compromising accounts on platforms like Facebook [6], Gmail [1] [2] [3] [4] [5] [6] [9], and Outlook [1] [2] [3] [4] [5] [6] [9].


The NodeStealer malware [1] [2] [3] [4] [5] [6] [7] [8] [9], originally a JavaScript-based threat [4] [5] [7], has now evolved to utilize a Python variant. In December 2022 [4] [5] [9], Palo Alto Networks Unit 42 reported a wave of attacks using a Python version of the malware [2] [3], with some iterations specifically focused on cryptocurrency theft [2] [9]. Recent findings suggest that the Vietnamese threat actors responsible for these attacks have resumed their operations and are adopting tactics used by other adversaries in the country [4] [5].

The attackers employ deceptive messages sent via Facebook Messenger to trick victims into revealing their login details. These messages often contain ZIP or RAR archive files that deliver the NodeStealer malware. Once opened, a batch script is executed, which opens the Chrome web browser and initiates a PowerShell command to retrieve additional payloads [3] [5] [9]. The stolen credentials and cookies are then exfiltrated over Telegram [9].

This campaign has the potential to lead to more targeted attacks, as the attackers can utilize the stolen Facebook cookies and credentials to take over accounts and carry out fraudulent transactions [5] [9]. It is crucial to note that this campaign is ongoing and poses a significant threat to businesses and individuals alike.


The NodeStealer malware targeting Facebook Business accounts poses a significant threat to organizations in the manufacturing services and technology sectors. The stolen credentials and cookies can be used to carry out fraudulent transactions, potentially leading to financial losses. It is essential for businesses and individuals to remain vigilant and take necessary precautions to protect their accounts. Ongoing monitoring, strong passwords [1] [2] [3] [4] [6] [9], and regular software updates are some of the measures that can help mitigate the risks associated with this campaign.


[1] https://cyber.vumetric.com/security-news/2023/09/15/nodestealer-malware-now-targets-facebook-business-accounts-on-multiple-browsers/
[2] https://pledgetimes.com/nodestealer-malware-that-attacks-facebook-business-accounts/
[3] https://vulners.com/thn/THN:EADD69AC9AF56B9C03B663DB3CC3A564
[4] https://secoperations.wordpress.com/2023/09/16/nodestealer-malware-now-targets-facebook-business-accounts-on-multiple-browsers/
[5] https://www.redpacketsecurity.com/nodestealer-malware-now-targets-facebook-business-accounts-on-multiple-browsers/
[6] https://www.cyclonis.com/nodestealer-takes-aim-at-business-accounts-on-facebook/
[7] https://www.thetechoutlook.com/news/technology/security/dont-open-any-files-received-from-unknown-sources-nodestealer-malware-attacks-continues/
[8] https://cybersec84.wordpress.com/2023/09/16/nodestealer-malware-targets-facebook-business-accounts-on-chrome-firefox-and-edge/
[9] https://thehackernews.com/2023/09/nodestealer-malware-now-targets.html