Threat Research

AI meets next-gen info stealers in social media malvertising campaigns

BitDefender

Bitdefender researchers found coordinated malvertising campaigns on Facebook that impersonate popular generative-AI services to deliver info-stealers and backdoors to users who download fake installers. The campaigns distributed Rilide (V4), Vidar, IceRAT, and Nova Stealer via fake pages, sponsored ads and cloned landing sites—often targeting European users and impersonating Midjourney and other AI brands. #Rilide #Vidar #IceRAT #NovaStealer #Midjourney #Meta

Keypoints

  • Attackers take over legitimate Facebook accounts/pages and run sponsored ads impersonating AI tools (Midjourney, Sora, DALL·E, ChatGPT variants) to build trust and reach.
  • Malicious ads and cloned websites link to executables (MSI/EXE) hosted on file-sharing services (GoFile, Dropbox, Google Drive) which install stealers and backdoors.
  • One focal payload, Rilide Stealer V4, installs a Chromium browser extension (nmmhkkegccagdldgiimedpic) that targets cookies, tokens and credentials—especially Facebook cookies—to bypass protections and steal crypto funds.
  • Other distributed payloads include Vidar Stealer, IceRAT (JPHP-based backdoor/gateway), and the newer Nova Stealer, all sold via MaaS and evolving to evade detection.
  • Attackers use process-control scripts (ru.ps1) and installer commands to stop browsers, open legitimate-looking pages (e.g., Gemini) while silently loading malicious extensions and payloads.
  • Malicious infrastructure includes dozens of cloned domains and IPs tied to Midjourney impersonation campaigns and numerous file hashes for infected installers.

MITRE Techniques

  • [T1078] Valid Accounts – Attackers operate compromised Facebook pages and accounts to publish sponsored ads and distribute malware ( ‘Cybercrooks have taken over Facebook profiles to run sponsored malvertising campaigns impersonating Midjourney…’ ).
  • [T1583.001] Acquire Infrastructure: Domains – Threat actors created many cloned domains to host fake landing pages and host malicious downloads ( ‘Cybercriminals created over a dozen malicious websites mimicking the official Midjourney landing page…’ ).
  • [T1204.002] User Execution: Malicious Link – Malicious ads link users to executable installers (MSI/EXE) and file‑sharing links that prompt downloads and execution ( ‘The links direct users to malicious webpages that download a variety of intrusive stealers…’ ).
  • [T1176] Browser Extensions – Attackers deploy a malicious browser extension (nmmhkkegccagdldgiimedpic) to harvest cookies, credentials and tokens from Chromium-based browsers ( ‘installs a browser extension that steals credentials, tokens, and cookies from Facebook accounts.’ ).
  • [T1539] Steal Web Session Cookie – The extension and injected scripts target Facebook cookies and session data to enable account access and bypass 2FA for fund theft ( ‘The malicious extension mainly targets Facebook cookies’ and ‘withdraw crypto funds by bypassing 2FA through script injections’ ).
  • [T1036] Masquerading – Malicious installers and extensions are disguised as legitimate AI tools or utility extensions (e.g., ‘masquerades as a Google Translate Extension’ and ‘poses as AI-related software… installs a browser extension’ ).

Indicators of Compromise

  • [IP Address] Midjourney impersonation infrastructure – 159.89.120.191, 159.89.98.241
  • [Malicious Domains] Cloned Midjourney / fake AI landing pages – https://aimidjourney[.]agency/, https://getmidjourney[.]tech/, and other 25 domains
  • [File Hashes] Example malicious installer hashes – 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db (OpenAI Sora official version setup.msi), aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47 (Midjourneyv6.exe), and many more hashes
  • [File Names] Fake installers and payloads – OpenAI Sora official version setup.msi, Midjourneyv6.exe

Threat actors compromise Facebook accounts and create impersonator pages, then boost reach through Meta’s sponsored ad platform to distribute malicious installers disguised as AI tools. These ads and pages point victims to cloned landing sites or file‑sharing links (GoFile, Dropbox, Google Drive) that deliver MSI/EXE droppers; the droppers write to Program Files and run install scripts that silently load browser extensions and auxiliary files.

Sample droppers install a malicious Chromium extension (observed as nmmhkkegccagdldgiimedpic) and supporting scripts (background.js, content.js, ru.ps1). The installer often opens a legitimate-looking AI page (e.g., gemini[.]google[.]com) to mask activity while the extension injects scripts to harvest cookies, tokens, saved credentials and autofill data. The ru.ps1 script also stops browser processes to facilitate extension installation and execution.

The resulting payloads include Rilide Stealer V4 (Chromium extension targeting Facebook cookies, enabling 2FA bypass and crypto withdrawal), Vidar Stealer (info stealer), IceRAT (JPHP-based backdoor used as a gateway for secondary infections), and Nova Stealer (passwords, screen capture, Discord injection, wallet theft). Defenders should block listed domains/IPs, detect the known hashes and file names, and monitor for unexpected MSI installers and unauthorized browser extensions. Read more: https://www.bitdefender.com/blog/labs/ai-meets-next-gen-info-stealers-in-social-media-malvertising-campaigns/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint