Keypoints
- Attackers use Meta advertising to distribute malware while impersonating popular brands and services.
- SYS01 InfoStealer is delivered inside ElectronJs applications packaged in ASAR archives and distributed via file-hosting links.
- The campaign relies on almost a hundred malicious domains for distribution and command-and-control infrastructure.
- The operation has global reach and potentially affects millions, with notable targeting of Facebook Business pages and older male demographics.
- Threat actors employ sandbox checks, obfuscation, and rapid code updates to evade detection and response.
- Compromised Facebook accounts are reused to create and scale malicious ads, enabling the campaign to self-propagate and monetize stolen data.
MITRE Techniques
- [T1071] Command and Control â Uses numerous C2 domains to maintain communication with infected hosts; quote: âUtilizes multiple command and control domains to maintain communication with compromised systems.â
- [T1003] Credential Dumping â Harvests stored credentials and tokens from browsers and systems to escalate access; quote: âHarvests credentials from compromised systems to gain unauthorized access to accounts.â
- [T1203] Malware Delivery â Pushes malicious installers via malvertising and file-hosting links to trick victims into installing infostealers; quote: âDistributes malware through malicious advertisements and compromised software.â
- [T1098] Account Manipulation â Hijacks legitimate Facebook Business accounts to create and distribute malicious advertisements at scale; quote: âHijacks legitimate accounts to create and distribute malicious ads.â
- [T1027] Obfuscated Files or Information â Embeds obfuscated JavaScript, IonCube-encoded PHP, and packed archives to hide payloads and hinder analysis; quote: âUses obfuscation techniques to hide malicious code and evade detection.â
Indicators of Compromise
- [Domains] Malware hosting â krouki[.]com, goodsuccessmedia[.]com, and several others (and other hosting domains such as kimiclass[.]com, eviralmedia[.]com)
- [Domains] C2 infrastructure â musament[.]top, lucielarouche[.]com, and additional C2 domains (e.g., enorgutic[.]top, untratem[.]top)
- [File names] Malicious package contents â app.asar, main.js, index.php, include.php (used for loader, unpacking, persistence, and infostealer)
- [Executable & hash] Standalone extractor included in archives â 7za.exe (example hash: c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf)
- [Hosting/service] File-hosting used for distribution â MediaFire links used as download points for the malicious .zip archives
Bitdefender Labs has tracked a coordinated malvertising operation that weaponizes Metaâs ad platform to spread an information-stealing strain known as SYS01. Attackers craft deceptive ads that mimic legitimate brands and services to convince users to download software packages; those packages are typically ZIP archives hosted on file-sharing services like MediaFire that contain an ElectronJs application. Once unpacked, the Electron bundle includes an ASAR archive that hides obfuscated JavaScript (main.js), a standalone archiver (7za.exe), a password-protected inner archive, and often PowerShell and PHP components. The JavaScript unpacks and executes the hidden content, sometimes via intermediary PowerShell commands, and newer samples will run the unzipping directly from within main.js.
To avoid analysis and automated detection, the malware performs several sandbox checks before activating. One prominent anti-analysis measure enumerates GPU models on the host and compares them against a packaged list; if the GPU is not recognized, the malicious chain aborts. When checks pass, the extraction continues and a PHP interpreter runs encoded PHP scripts (commonly include.php and index.php) that have been encoded with IonCube, complicating reverse engineering. The PHP components implement persistence by creating two Windows Task Scheduler tasksânamed WDNA and WDNA_LGâthat ensure the infostealer runs periodically and at each user logon, using commands like php.exe index.php.
Memory analysis of the running php.exe process reveals clear markers and capabilities: the string SYS01 appears repeatedly, numerous C2 domains are present, and the code contains SQL queries for extracting browser cookies (for example, SELECT * FROM moz_cookies). The infostealer can query hardcoded C2 servers or retrieve additional command-and-control addresses dynamically via Telegram bots or public Google pages. Simple API calls such as https://{C2_DOMAIN}/api/rss?a=ping let operators check C2 availability, while other API responses include a resource field populated with Meta Graph API calls intended to probe the victimâs Facebook accounts. Collecting cookies, tokens, and Facebook-related data is a core goal, likely because access to Facebook Business pages enables the attackers to expand the campaign.
The advertising campaignâs reach is large and geographically diverse. Bitdefender observed thousands of ads and close to one hundred malicious domains used both for distribution and live C2 operations. The ads impersonate a very wide range of software and servicesâvideo editors (CapCut, Photoshop, Canva), productivity suites (Office 365), VPNs (Express VPN), streaming platforms (Netflix), messaging apps (Telegram), and even video game download pages or promotions (including Super Mario Bros Wonder and other popular titles). Some ads have run for weeks and often targeted older men, but the overall potential audience spans the EU, North America, Australia, and Asia, making the total exposure likely in the millions.
Operators behind SYS01 also show a businesslike approach to scaling and monetization. A prime objective is stealing credentialsâparticularly Facebook and Facebook Business account accessâwhich the attackers then use to create legitimate-looking advertising campaigns. By hijacking valid business accounts, the threat actors can publish new malicious ads that appear credible and can circumvent some automated defenses. This allows the campaign to self-propagate: infected victims yield credentials that fund the next wave of ads. Stolen account credentials and other collected personal data also have resale value on underground markets, turning each compromise into a revenue stream.
Evasion and rapid adaptation are central to the campaignâs survival. When security vendors block a detectable loader, the criminals quickly modify the obfuscation and push updated ads with fresh payloads. The layered use of packed archives, obfuscated JavaScript, IonCube-encoded PHP, sandbox checks, and dynamic C2 retrieval contributes to both stealth and resilience. Combined with the use of hijacked Facebook Business accounts to post new advertisements, these tactics make detection and takedown challenging.
Defensive measures focus on user behavior and account hygiene as well as endpoint protection. Users should be cautious about clicking adsâespecially those offering free or seemingly too-good-to-be-true downloadsâand should obtain software only from official vendor sites rather than third-party file hosts. Enabling two-factor authentication on Facebook accounts and closely monitoring business account activity can reduce the impact of credential theft. Keeping security products updated and using solutions capable of detecting layered obfuscation and malicious Electron packages will also limit success for campaigns like SYS01.
Bitdefender provides an expanded set of indicators and telemetry to customers who require detailed threat-hunting data. For organizations, combining user education, proactive monitoring of advertising channels, and strong account security controls will help blunt this type of malvertising-driven campaign. Read more: https://www.bitdefender.com/en-us/blog/labs/unmasking-the-sys01-infostealer-threat-bitdefender-labs-tracks-global-malvertising-campaign-targeting-meta-business-pages/