Photo of Facebook Business Ads Tabs
© BigTunaOnline/

Hackers are spreading malware on Facebook via ads that “dangle access” to explicit photos of young women, Bitdefender warned in a report on Tuesday.

Threat actors use “lewd album covers” to entice unsuspecting victims into clicking on ads and downloading a media archive — unwittingly infecting their devices with NodeStealer, a notorious info stealer.

“Meta’s Ads Manager tool is actively exploited in these campaigns to target male users on Facebook, aged 18 to 65 from Europe, Africa, and the Caribbean,” Bitdefender said in a blog post. The most affected demographic is males aged 45 and above.

Meta’s security team first spotted NodeStealer in January this year. The info stealer, linked to Vietnamese threat actors, can steal browser cookies, bypass two-factor authentication, and allow hackers to take over Facebook accounts.

Bitdefender’s analysis shows that NodeStealer has been equipped with new capabilities. It can now infiltrate platforms like Gmail and Outlook, drain crypto wallet balances, and download malicious payloads.

Malware Has Over 100,000 Downloads

According to Bitdefender, the threat actors behind this campaign create multiple Facebook pages with innocuous names like “Album Update” and upload explicit photos of young women. They use previously compromised Facebook business accounts to run ads promoting these pages, usually with a brief text that creates a sense of urgency.

“New stuff is online today,” one ad reads. “Watch now before it’s deleted.”

Bitdefender estimates the malicious .exe “Photo Album” file containing NodeStealer has been downloaded 100,000 times.

“Given that each ad click instantly downloads the malicious archive, we’ve estimated 100,000 potential downloads from the Ad reach analysis, with a single ad having as many as 15,000 downloads within just a 24-hour rollout,” Bitdefender said.

The researchers found variations of the same ad used in up to 140 campaigns. “Attackers used a maximum of 5 active ads at a time and switched between them at 24-hour intervals to try to avoid ad reports from users,” the report explained.

It’s not uncommon for threat actors to use malvertising campaigns to snare unsuspecting targets. In August, cybersecurity firm Trend Micro revealed that criminals were leveraging the allure of AI chatbots to spread malware, also via Facebook ads. Besides Facebook, criminals are also known to spread malware via Google Ads.

How to Avoid Falling for Malvertising Schemes

It’s important to exercise caution on social media and practice good cyber hygiene to avoid falling for malvertising tricks. Avoid clicking suspicious links or downloading files from unknown sources, especially photo albums from Bitbucket, Gitlab, or Dropbox.

Also, use a solid antivirus to monitor your device and block malicious software. Read our guide to the best antivirus programs to see our top picks.

For more news, follow us on X (Twitter), Threads, and Mastodon!

Leave a comment