NodeStealer New Python Variant Puts Facebook Business Accounts at Risk

Researchers recently uncovered a new and lethal variant of the NodeStealer malware, coded in Python. This malicious software is capable of infiltrating Facebook business accounts and accessing sensitive data, including cryptocurrency.

Palo Alto Networks Unit 42 detected this previously undocumented strain during research that began in December 2022. While there is no evidence of active exploitation at the moment, the potential risks are significant, as attackers could exploit the stolen credentials of both individuals and organizations.

NodeStealer and Their Attack Methodology

NodeStealer, initially exposed by Meta in May 2023, is known for its powerful stealer malware capability of harvesting cookies and passwords from web browsers, compromising Facebook, Gmail, and Outlook accounts. However, the recent variant shows a dangerous twist as it operates in Python, making it even more challenging to detect and counteract. This new version poses a great risk to victims, as it not only targets Facebook business accounts financially but also steals browser credentials to launch further attacks.

The NodeStealer attacks are initiated through fake messages on Facebook, luring users with promises of free “professional” budget tracking Microsoft Excel and Google Sheets templates. Unsuspecting victims who fall for the scam unknowingly download a ZIP archive file hosted on Google Drive, which contains the stealer executable. Once the malware is executed, it begins to capture crucial Facebook business account information.


This Python variant of NodeStealer is not limited to stealing data from Facebook business accounts alone. It is also programmed to download additional malware, such as BitRAT and XWorm, in the form of ZIP files. Moreover, the malware uses a User Account Control (UAC) bypass technique, leveraging fodhelper.exe to execute PowerShell scripts for downloading the ZIP files from a remote server. This method allows attackers to gain elevated privileges over the infected hosts.

Crypto and Identity Theft by NodeStealer

In addition to targeting Facebook business accounts, the NodeStealer variant incorporates crypto theft capabilities by using stolen MetaMask credentials from Google Chrome, Cốc Cốc, and Brave web browsers. This feature enables attackers to access cryptocurrency from the victims’ wallets. Furthermore, the malware goes beyond data theft by implementing anti-analysis features and parsing emails from Microsoft Outlook in an upgraded Python variant. The most alarming aspect is the malware’s attempt to take over associated Facebook accounts entirely.


How to Address this Risk?

As this new variant poses a substantial risk to both individuals and organizations, cybersecurity experts emphasize the importance of taking immediate action to protect sensitive data. For Facebook business account owners, adopting strong passwords and enabling multi-factor authentication is vital to boost security. Additionally, educating organizations about phishing tactics and modern targeted approaches can help prevent potential breaches.

The discovery of the Python variant of NodeStealer highlights the ever-evolving landscape of cyber threats and the need for constant vigilance in the face of sophisticated attacks. By understanding the attack methodology and potential consequences, individuals and organizations can take proactive measures to safeguard their data. As cybercriminals continue to evolve their tactics, it is essential to stay informed and implement robust cybersecurity measures to protect against malicious activities.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

Zero-Day Vulnerability Discovered in Chrome; Google Issues Emergency Update

Major Phishing-as-a-Service Syndicate ‘BulletProof Link’ Dismantled by Malaysian Authorities

Credentials for cybercrime forums on roughly 120K computers infected with information stealers

Meduza Stealer: A New Cybercrime Targeting Passwords and Crypto Wallets