Cybercriminals Are Using Meta's Facebook Business Pages To Market Fake Windows Equipped With Password-Stealing Malware

Security experts are ringing the alarm about business pages found on Facebook that are promoting fake Windows themes embedded with password-stealing malware.

Cybercriminals infect users who are unaware of the act with malware dubbed SYS01 which also gives rise to fake installations related to pirate games, image creators, and even One Click Active.

While making use of Facebook ads, the malware steals information and the fact that such pages have a massive audience reach makes it all the more harmful if the incidents pick up the pace and pose a serious threat.

The actors work by displaying ads promoting Windows, game downloads, and software activation for popular platforms including Photoshop. These could be fresh or old ones that they hijack.


Threat actors rename these to better suit the themes of the ads and promote downloads to any that exist. If the latter methodology is used, actors go about renaming the pages to better cater to the new nature of the ads and market downloads to any existing member.

So the fact that the old page on Facebook is renamed enables hackers to make the most of the user base that already existed and therefore helps to attain more fame and engagement despite being fraudulent in nature.

Many of these pages are run by actors present in Vietnam and the Philippines, another report explained. It’s interesting to see threat actors remove thousands of ads for every campaign, the report mentioned.

After Facebook users click on a particular ad, they’re guided to a webpage that’s hosted across Google Sites or even True Hosting that acts like it's a download page to promote content online.

Most of the pages are seen promoting Blue Software which provides free software and game downloads for any promotional content in the ad. But when you press on download, the browser downloads ZIP archives linked to fake themes.

The user assumes they’re getting free content but in reality, it only entails SYS01 malware that steals data.

The first time that experts were made aware of this was in 2022 and how it used a host of executables to steal data from compromised PCs.

Most of the payload in the SYS01 comprises PHP scripts that give rise to task scheduling and steal information from a certain device. The data can entail stolen cookies, credentials stored in devices, and even crypto wallets amongst other sensitive information.

The malware can even make use of cookies on the FB app to steal sensitive data from various social media apps like emails, birthdays, names, numbers, and more.

This information is further sold to others who can breach accounts that belong to the victim while data from FB in particular is used to hack other accounts to give rise to more malware campaigns in the future.

In another recent incident, we saw Bitdefender generate warnings related to threat actors hijacking FB pages entailing millions of users that impersonate famous AI endeavors. These would be utilized for pushing data-stealing malware and wreaking havoc for victims.

Read next: Global Market For Smartphones Witnesses Record Growth For Third Consecutive Quarter
Previous Post Next Post