{
	"id": "e9410dcc-e5ea-4e02-ba8c-8f94eb5f640e",
	"created_at": "2026-04-06T00:09:06.072398Z",
	"updated_at": "2026-04-10T03:20:58.230298Z",
	"deleted_at": null,
	"sha1_hash": "a94650068633bac265d2ed34710c16d89f702f32",
	"title": "Facebook Ads Manager Targeted by New Info-Stealing Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1625464,
	"plain_text": "Facebook Ads Manager Targeted by New Info-Stealing Trojan\r\nBy Lawrence Abrams\r\nPublished: 2019-12-02 · Archived: 2026-04-05 17:42:24 UTC\r\nAttackers are distributing an information-stealing Trojan disguised as a PDF reader that steals Facebook and Amazon\r\nsession cookies as well as sensitive data from the Facebook Ads Manager.\r\nOver the weekend, MalwareHunterTeam found numerous sites distributing a fake PDF editing program called 'PDFreader'.\r\nSite promoting PDFreader\r\nThe executables distributed from this site are signed by a digital certificate issued by Sectigo to \"Rakete Content Gmbh\".\r\nhttps://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nDigital signature\r\nVirusTotal detects this Trojan as Socelars, but it also shares characteristics with other Trojans, such as AdKoob and\r\nStresspaint, that also attempt to extract and steal Facebook data from various URLs.\r\nAccording to Vitali Kremez, who analyzed this Trojan, there is not much code similarity between this Trojan and the others,\r\nso it may be inspired rather than evolved from previous infections.\r\n\"That tells it must be a newer (maybe inspired) variant or significantly improved one over the previous generation. I assess\r\nthis might be only the beginning of the evolution of this type of malware targeting ad and social media providers,\" Kremez\r\ntold BleepingCOmputer.com\r\nTargets Facebook Ads Manager\r\nWhen launched, Kremez told BleepingComputer that the Trojan will first attempt to steal Facebook sessions cookies from\r\nChrome and Firefox by accessing the Cookies SQLite database.\r\nOnce the cookie is retrieved, it will be used to connect a variety of Facebook URLs where information is extracted.\r\nhttps://www.facebook.com/bookmarks/pages?ref_type=logout_gear\r\nhttps://secure.facebook.com/settings\r\nhttps://secure.facebook.com/ads/manager/account_settings/account_billing/\r\nThe account_billing URL will be used to extract the user's account_id and access_token, which will then be used in a\r\nFacebook Graph API call to steal data from the user's Ads Manager settings.\r\nhttps://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/\r\nPage 3 of 5\n\nFacebook Graph API call\r\nThe graph API call used is below:\r\nhttps://graph.facebook.com/v4.0/act_{account_id}?_reqName=adaccount\u0026_reqSrc=AdsPaymentMethodsDataLoader\u0026fields=%5B%22all_\r\nThe stolen data, which consists of session cookies, access tokens, account ids, advertising email address, associated pages,\r\ncredit card info (number, expiration date), PayPal email, ad balances, spending limits, etc, is then compiled and sent to the\r\nattacker's Command \u0026 Control server.\r\nWith the USA election season looming and state-sponsored actors abusing Facebook ads in the past, it is important for\r\nanyone running political campaigns to know that malware is targeting Facebook's ad infrastructure.\r\n\"Also, I think in light of the upcoming elections and intensified FB campaigns running political messages, this tool is almost\r\nlike an espionage malware looking for possible political narratives (and grabbing account information),\" Kremez told\r\nBleepingComputer.com.\r\nTo make matters worse, with the information stolen by the attackers, they could potentially use these stolen Facebook\r\ncookies to access accounts and use them to create their own ad campaigns.\r\nSteals Amazon session cookies\r\nWhile the main focus of this Trojan is to steal data from Facebook, the malware will also attempt to steal session cookies for\r\nAmazon.com and Amazon.co.uk.\r\nhttps://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/\r\nPage 4 of 5\n\nStealing Amazon session cookie\r\nUnlike the Facebook routine, this cookie will simply be sent back to the attacker and will not be used by the Trojan to\r\nextract any other information. Once again, if the attacker gains access to a user's Amazon session cookie they will be able to\r\nlog in as that user.\r\nDistributed via adware bundles\r\nAs the sites promoting the 'PDFreader' program do not have active links that allow a user to download the program,\r\nBleepingComputer investigated how this malware may be distributed.\r\nAfter following trail of other malware that communicated with one of the PDFreader domains, we found that many of the\r\nrequests to the PDFreader domains came from adware bundles installing unwanted programs such as YeaDesktop or\r\npretending to be copyrighted software.\r\nAs this Trojan is silently executed and performs all its tasks in the background, users will not be aware that anything was\r\ninstalled and will just see whatever adware or copyrighted software was downloaded.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/\r\nhttps://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/"
	],
	"report_names": [
		"facebook-ads-manager-targeted-by-new-info-stealing-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434146,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a94650068633bac265d2ed34710c16d89f702f32.pdf",
		"text": "https://archive.orkl.eu/a94650068633bac265d2ed34710c16d89f702f32.txt",
		"img": "https://archive.orkl.eu/a94650068633bac265d2ed34710c16d89f702f32.jpg"
	}
}