Hacking

NodeStealer 2.0: New Techniques Target Facebook Ads and Credit Card Data

Published  ·  3 min read

Security researchers are raising alarms about an updated version of the Python-based NodeStealer malware. This iteration not only harvests sensitive information from Facebook Ads Manager accounts but also extracts credit card data stored in web browsers.

"They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement," said Jan Michael Alcantara, a Netskope Threat Labs researcher, in a report shared with The Hacker News.

The malware now incorporates several new features, including:

  1. Windows Restart Manager to unlock browser database files.
  2. Addition of junk code to obscure its true functionality.
  3. Use of batch scripts to dynamically generate and execute Python code.

NodeStealer’s Evolution

Initially discovered by Meta in May 2023, NodeStealer began as JavaScript malware. It later transitioned into a Python-based tool designed to hijack Facebook accounts, primarily to take over advertising and business accounts.

Researchers believe NodeStealer is developed by Vietnamese threat actors, known for targeting Facebook business accounts to facilitate malvertising and other malicious activities.

Latest Targets: Facebook Ads Manager Accounts

According to Netskope, the newest versions of NodeStealer aim to:

  1. Collect account budget details via the Facebook Graph API.
  2. Generate access tokens using cookies from compromised machines to log into Facebook Ads Manager.

Alcantara noted:
"We recently found several Python NodeStealer samples that collect budget details of the account using Facebook Graph API."

Interestingly, NodeStealer includes geofencing techniques to avoid infecting devices in Vietnam, likely to evade local law enforcement.

Data Exfiltration via Telegram

The malware uses Telegram to exfiltrate stolen data, showcasing the persistent use of messaging platforms by cybercriminals.

Additionally, the malware exploits the Windows Restart Manager to unlock SQLite database files, potentially containing credit card data.

Facebook Malvertising and Beyond

Malvertising campaigns on Facebook, impersonating popular brands, are a lucrative pathway for spreading malware. One campaign, starting November 3, 2024, mimicked the Bitwarden password manager software to distribute a rogue Google Chrome extension via sponsored ads.

Bitdefender reported:
"The malware gathers personal data and targets Facebook business accounts, potentially leading to financial losses for individuals and businesses."

Phishing Campaigns and ClickFix Technique

The NodeStealer threat coincides with a surge in phishing campaigns deploying malware like I2Parcae RAT. These campaigns exploit techniques such as:

  1. Using contact forms and invoice-themed lures.
  2. Fake CAPTCHA pages urging victims to execute malicious scripts.

The “ClickFix” technique, highlighted by Proofpoint researchers, has become a popular method to bypass security controls. This technique manipulates users into infecting their devices by executing malicious code themselves.

"What's insidious about this technique is the adversaries are preying on people's innate desire to be helpful," said Tommy Madjar and Selena Larson.

 

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067