Keypoints
- Attackers use paid Facebook Ads and hijacked business profiles to massively distribute malicious posts (malverposting), yielding high conversion and estimated 500k+ infections in months.
- Victims are lured to download ZIP “photo album” files; inside, image-named files are actually executables that, when run, start the infection.
- Infection flow includes opening a decoy browser window while the stealer runs silently, gains persistence, and exfiltrates browser session cookies, account data, and crypto-wallet information.
- Payloads leverage legitimate vendor binaries (Western Digital, Seagate) to execute altered/sideloaded DLLs; in one case attackers recompiled Seagate DLLs and left PDB/debug artifacts revealing compilation details.
- Deployments dynamically fetch further components from C2/file-serving domains using bundled curl and 7zip tools, reducing static fingerprinting opportunities.
- The stealer is a PHP-based family (Ducktail/SYS01) now encrypted/precompiled with ionCube Loader, forcing manual reverse engineering and dynamic analysis for detection.
- Campaign shows global distribution (focus: USA, Canada, UK, Australia), continual evolution of evasive techniques, and sustained abuse of ad-network infrastructure and hijacked reputation.
MITRE Techniques
- [T1189] Drive-by Compromise – Delivery via promoted social posts that cause victims to download malicious ZIP files. (‘a malicious ZIP file is downloaded to their computers.’)
- [T1204] User Execution – Execution relies on users extracting ZIPs and clicking masqueraded “photo” executables to start the infection. (‘photo files (that are actually masqueraded executable files) that when clicked will initiate the infection process.’)
- [T1574.001] DLL Side-Loading – Malicious activity is triggered by a sideloaded DLL included with benign vendor executables. (‘The actual malicious activity is triggered by a sideloaded DLL (also part of the original tool)’)
- [T1218] Signed Binary Proxy Execution – Attackers use legitimate vendor tools (WesternDigital/Seagate executables) as execution hosts to bypass detections. (‘the attacker used common system tools from Hard-Drive manufacturers (WesternDigital and Seagate) — executables you will probably find on most desktop systems’)
- [T1105] Ingress Tool Transfer – Additional code is dynamically downloaded from C2 servers using bundled curl and 7zip binaries to fetch the stealer payload. (‘dynamically downloading the relevant code from C2 servers using curl and 7zip binaries’)
- [T1539] Steal Web Session Cookie – The stealer collects and exfiltrates browser session cookies and account data. (‘periodically exfiltrate your sessions cookies, accounts, crypto-wallets and more.’)
- [T1027] Obfuscated Files or Information – Payloads employ obfuscated strings, .NET-compiled DLL modifications, and ionCube bytecode encryption to impede static analysis. (‘using assembly and obfuscated strings to further hide itself’ and ‘encrypted and pre-compiled to bytecode using a tool called “ionCube Loader”’)
Indicators of Compromise
- [Hijacked Facebook Pages/Profiles] used to promote malicious ads – https://www[.]facebook[.]com/DrTechnoPeru (1.3M followers example), https://www[.]facebook[.]com/altrkstore, and other hijacked business pages
- [Landing Page Domains] domains used in Facebook Ads landing pages – apps-blue[.]com, myprivatephotoalbum[.]top, and 40+ other advertising domains
- [File-Serving / C2 Domains] domains hosting payloads and C2 – c1.cembuyukhanli[.]com, dl.privatecollection[.]top, and 20+ additional file-serving/C2 hosts
- [Malicious Filenames] named ZIP payloads delivered to victims – ONS_Bokyem{randomseed}.zip, GirlLeakFull.zip, and many other “Album_*.zip” variants
- [File Hashes] example hashes of malicious ZIP/executable samples – 011c8af33ecff78288588aa434e4cc4ea78d208c669c01b2f724e68aae3f0a0c, 01ba6ccb04787905b57b634dd7549081e989d0d1efcfb9f9efc93bcd558811ee, and 200+ additional hashes
The campaign’s technical delivery chain begins with promoted Facebook posts (malverposting) pointing to landing pages that serve ZIP “photo album” files. Those ZIPs contain files named like images but implemented as executables; when a victim extracts and launches one, the payload opens a decoy browser window while executing the malicious installer in the background to establish persistence and steal session cookies, account credentials, and crypto-wallet data.
For evasion and execution, attackers rely on legitimate vendor binaries (Western Digital and Seagate executables) to load modified .NET DLLs (DLL sideloading). The injected DLLs contain obfuscated assemblies and strings; in at least one variant attackers included debug/PDB artifacts implying recompilation of vendor code. Later stages use bundled tools (renamed curl and 7zip) to pull additional components from distributed C2/file-serving domains, reducing static fingerprinting of the delivered ZIP itself.
The final stealer is a PHP-based family (Ducktail/SYS01) that the operators now encrypt and precompile into ionCube bytecode, preventing quick static inspection and forcing dynamic or manual reverse engineering to recover behavior or IOCs. Combined with scale afforded by ad networks and hijacked ad-credited business profiles, these techniques significantly delay detection and remediation while enabling rapid global distribution.