Keypoints
- Attackers used compromised Facebook business accounts and their ad credit to run ~140 malicious ad campaigns promoting “photo albums.”
- Clicking an ad immediately downloaded an archive containing a malicious Windows .exe (“Photo Album”) that drops a second .NET executable implementing NodeStealer v2.1.
- NodeStealer v2.1 is written in Node (JavaScript) and expanded to steal browser cookies, passwords, Gmail/Outlook access, and crypto wallet balances, plus download additional payloads.
- Malicious archives were hosted on Bitbucket, GitLab and Dropbox repositories; campaigns used rapid ad rotation (up to 5 active ads switching every 24 hours) to evade reports.
- Bitdefender observed up to ~15,000 downloads from a single 24-hour ad rollout and estimated ~100,000 potential downloads across the campaign.
- Known IOCs include multiple SHA256 hashes, a C2 endpoint (34.82.20.84:3000), and repository URLs: bitbucket.org/lxsoft/store/src/master/, gitlab[.]com/rftsoft/ase and a Dropbox link.
- Defenses: keep endpoint protection updated, avoid downloading unsolicited archives from ad links, and do not download “photo albums” from links hosted on Bitbucket/GitLab/Dropbox.
MITRE Techniques
- [T1204.002] User Execution: Malicious Link – Ads delivered links that caused users to download archives and execute Windows binaries (‘Clicking on ads immediately downloads an archive containing a malicious .exe “Photo Album” file’).
- [T1189] Drive-by Compromise – Malicious ads and repository-hosted archives served as the vector to silently deliver and execute payloads on user systems (‘The “Albums,” in fact, point to either Bitbucket or Gitlab repositories that store an archive containing a Windows executable’).
- [T1539] Steal Web Session Cookie – The NodeStealer payload was used to harvest browser cookies to enable account takeover and bypass protections (‘NodeStealer … allows threat actors to steal browser cookies and conduct account takeovers at scale’).
- [T1071.001] Application Layer Protocol: Web Protocols – Malware communicated with a web-based C2 endpoint over HTTP to exfiltrate data and receive commands (‘hxxp://34.82.20.84:3000/v1/botlog/key’).
- [T1105] Ingress Tool Transfer – Additional payloads and components were downloaded from online repositories (Bitbucket, GitLab, Dropbox) to deploy the stealer (‘The “Albums,” in fact, point to either Bitbucket or Gitlab repositories that store an archive containing a Windows executable’).
- [T1059] Command and Scripting Interpreter – NodeStealer is implemented in JavaScript executed via Node.js, indicating use of scripting for malicious functionality (‘written in JavaScript and executed through Node.js’).
- [T1078] Valid Accounts – Harvested cookies and credentials were used to perform account takeover and maintain access to Facebook business and user accounts (‘The malware let attackers seize control of business accounts … and even bypassed security mechanisms such as two-factor authentication’).
Indicators of Compromise
- [SHA256 hashes] Malicious payloads – 2b94a313e55e7332b7bd5fbc74aa84f6…, f267da7be0c3fbfe85b4b0117c44cf22…, and 6 more hashes.
- [C2 IP/URL] Command-and-control endpoint – hxxp://34.82.20.84:3000/v1/botlog/key (used by the stealer to report and receive commands).
- [Malicious repositories] Hosting of malicious archives – https://bitbucket.org/lxsoft/store/src/master/, hxxps://gitlab[.]com/rftsoft/ase, hxxps://dl.dropbox[.]com/scl/fi/mioy6rz517smvxsyi32wn/ (archives point to these repositories).
- [File names / delivery] Dropper and payload – Windows “Photo Album” .exe (archive downloaded directly when ad was clicked) and a secondary .NET executable that steals cookies/passwords.
- [Detection name] AV detection – Bitdefender flags these samples as Gen:Variant.FacebookAd.
Threat actors set up Facebook pages (e.g., “Album Update”) with provocative images and used compromised business accounts’ ad credit to run targeted ads that link to repository-hosted archives. Clicking an ad immediately downloads an archive that contains a Windows executable disguised as a photo album; that executable drops a secondary .NET binary which implements NodeStealer v2.1. The stealer, written in JavaScript for Node, harvests browser cookies and saved credentials, exfiltrates data to a web-based C2 (observed at 34.82.20.84:3000), and can fetch additional payloads from Bitbucket/GitLab/Dropbox locations.
NodeStealer v2.1 expands earlier functionality to target additional services (Gmail, Outlook), enumerate and report crypto wallet balances, and enable large-scale account takeover by using stolen session cookies to bypass controls like 2FA. Operators minimized detection by rotating a small set of active ads (up to five) on 24-hour cycles and hosting downloads on legitimate developer repositories, leading to tens of thousands of observed downloads during short ad rollouts.
Defensive guidance: block and investigate downloads originating from ad links and the listed repository URLs; treat unsolicited archive downloads as high risk; ensure endpoint protection detects Gen:Variant.FacebookAd signatures and is up to date; monitor for suspicious outbound web traffic to the C2 IP and unusual account activity indicating cookie-based takeover.